cbcvebase.
CVE-2011-4786
published 2012-01-12

CVE-2011-4786: A certain ActiveX control in HPTicketMgr.dll in HP Easy Printer Care Software 2.5 and earlier allows remote attackers to download an arbitrary program onto a…

PriorityP266critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
41.13%
98.5th percentile
A certain ActiveX control in HPTicketMgr.dll in HP Easy Printer Care Software 2.5 and earlier allows remote attackers to download an arbitrary program onto a client machine, and execute this program, via unspecified vectors, a different vulnerability than CVE-2011-2404 and CVE-2011-4787.

Affected

1 ranges
VendorProductVersion rangeFixed in
hpeasy_printer_care_software<= 2.5

Detection & IOCsextracted from sources · hover to see the quote

filenameHPTicketMgr.dll
otherHPESPRIT.XMLCacheMgr.1
commandCacheDocumentXMLWithId
pathC:\windows\system32\wbem\mof\good\<random>.mof
versionHPTicketMgr.dll 2.7.2.0
snort
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX HP Easy Printer Care Software XMLCacheMgr ActiveX Control Remote Code Execution Attempt"; flow:established,to_client; content:"ActiveXObject"; nocase; content:"HPESPRIT.XMLCacheMgr.1"; nocase; distance:0; content:"CacheDocumentXMLWithId"; nocase; distance:0; reference:bid,51396; reference:cve,2011-4786; classtype:attempted-user; sid:2014132; rev:2;)
  • Detect exploit delivery by inspecting HTTP responses for simultaneous presence of 'ActiveXObject', 'HPESPRIT.XMLCacheMgr.1', and 'CacheDocumentXMLWithId' strings (ET SID 2014132).
  • Filter traffic to client endpoints: the exploit is delivered server-to-client over HTTP (flow:established,to_client) and only triggers against Internet Explorer (User-Agent must match /MSIE/).
  • Monitor for unexpected .vbs file creation under C:\Windows\System32\ and .mof file drops under C:\Windows\System32\wbem\mof\ and C:\Windows\System32\wbem\mof\good\ — these are the WMI-based execution staging paths used by the exploit.
  • The exploit uses Windows Management Instrumentation (WMI) MOF file auto-compilation to execute a dropped VBS payload — alert on WMI MOF compilation events (mofcomp.exe or wmiprvse.exe spawning wscript.exe/cscript.exe) on pre-Vista Windows systems.
  • The exploit uses a 4-second setTimeout delay between VBS drop and MOF drop — behavioral sandboxes should extend dwell time beyond 4 seconds to capture the second-stage MOF write.
  • ·The exploit only works on Windows versions prior to Vista; Vista and later are not affected by the WMI MOF execution technique used.
  • ·The Snort/ET rule (SID 2014132) requires the exploit page to contain all three strings in sequence; obfuscation or splitting across multiple requests would evade it.
  • ·The VBS and MOF filenames are randomly generated per session (rand_text_alpha), so static filename-based IOCs will not reliably detect all instances.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.