cbcvebase.
CVE-2011-4876
published 2012-02-03

CVE-2011-4876: Directory traversal vulnerability in HmiLoad in the runtime loader in Siemens WinCC flexible 2004, 2005, 2007, and 2008; WinCC V11 (aka TIA portal); the TP…

PriorityP259critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
9.85%
95.0th percentile
Directory traversal vulnerability in HmiLoad in the runtime loader in Siemens WinCC flexible 2004, 2005, 2007, and 2008; WinCC V11 (aka TIA portal); the TP, OP, MP, Comfort Panels, and Mobile Panels SIMATIC HMI panels; WinCC V11 Runtime Advanced; and WinCC flexible Runtime, when Transfer Mode is enabled, allows remote attackers to execute, read, create, modify, or delete arbitrary files via a .. (dot dot) in a string.

Affected

11 ranges
VendorProductVersion rangeFixed in
siemenssimatic_hmi_panels
siemenssimatic_hmi_panels
siemenssimatic_hmi_panels
siemenssimatic_hmi_panels
siemenssimatic_hmi_panels
siemenswincc
siemenswincc_flexible
siemenswincc_flexible
siemenswincc_flexible
siemenswincc_flexible
siemenswincc_runtime_advanced

Detection & IOCsextracted from sources · hover to see the quote

port4410
port2308
commandudpsz -C "0004 03" 0 -C "01000000 80000000" 0x16 -c ".\0.\0/\0.\0.\0/\0.\0.\0/\0.\0.\0/\0.\0.\0/\0.\0.\0/\0.\0.\0/\0.\0.\0/\0.\0.\0/\0.\0.\0/\0.\0.\0/\0e\0v\0i\0l\0.\0e\0x\0e\0" 0x1e -T SERVER 2308 2+0x400
commandmydown http://SERVER/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cboot.ini
commandudpsz -c "POST \xfa\x01\x01\x01\x45\x40\x40\x41 HTTP/1.0\r\n\r\n" -T SERVER 80 -1
processHmiLoad
bytes
0004 03 00 00 00 00000000 00000000 00000000 00000000 00000000 ffffffff
bytes
\xfa
  • Detect HmiLoad directory traversal by monitoring UDP traffic to port 2308 containing Unicode dot-dot sequences (e.g., '.\0.\0/\0') in the payload, indicative of path traversal attempts against the Transfer Mode service.
  • Detect miniweb directory traversal by monitoring HTTP requests containing encoded backslash traversal patterns (..%5c) in the URI path.
  • Detect miniweb memory read abuse by alerting on HTTP POST requests where the URI begins with byte 0xfa, which triggers the binary URI parsing code path.
  • Detect HmiLoad stack overflow attempts by monitoring UDP traffic to port 2308 with packets beginning with '0004' opcode and a size field of 0xffffffff.
  • Flag any process spawning or presence of HmiLoad listening on port 4410 (Transfer Mode), as this exposes the vulnerable attack surface.
  • ·The vulnerability is only exploitable when Transfer Mode is explicitly enabled on the HMI device; systems not in Transfer Mode are not exposed via port 4410.
  • ·HmiLoad must be manually added to the startup folder to run automatically; it is not enabled by default in all deployments.
  • ·No vendor fix was available at the time of disclosure; all affected versions (WinCC flexible 2004/2005/2007/2008, WinCC V11, SIMATIC HMI panels) remain vulnerable without a patch.
  • ·miniweb.exe exposes ports 80 and 443 only when the miniweb service is started; the directory traversal and memory read vulnerabilities are conditional on this service running.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.