cbcvebase.
CVE-2012-4598
published 2012-08-22

CVE-2012-4598: An unspecified ActiveX control in McAfee Virtual Technician (MVT) before 6.4, and ePO-MVT, allows remote attackers to execute arbitrary code or cause a denial…

PriorityP357critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
29.38%
97.9th percentile
An unspecified ActiveX control in McAfee Virtual Technician (MVT) before 6.4, and ePO-MVT, allows remote attackers to execute arbitrary code or cause a denial of service (Internet Explorer crash) via a crafted web site.

Affected

4 ranges
VendorProductVersion rangeFixed in
mcafeeepo_mcafee_virtual_technician<= 1.0.7
mcafeeepo_mcafee_virtual_technician
mcafeeepo_mcafee_virtual_technician
mcafeemcafee_virtual_technician<= 6.3.0.1911

Detection & IOCsextracted from sources · hover to see the quote

otherCLSID: {2EBE1406-BE0E-44E6-AE10-247A0C5AEDCF}
pathC:\Program Files\McAfee\Supportability\MVT\MVT.dll
filenameMVT.dll
filenameMVTInstaller.exe
commandvar x = obj.GetObject("WScript.Shell"); x.Exec("cmd /c start calc");
commandvar y = obj.GetObject(0x0c0c0c0c);
versionMVT.MVTControl.6300
  • Detect instantiation of the vulnerable ActiveX control by its CLSID {2EBE1406-BE0E-44E6-AE10-247A0C5AEDCF} or ProgID MVT.MVTControl.6300 in browser/HTML content.
  • Alert on calls to the GetObject() method on the MVTControl ActiveX object, especially with arguments of 'WScript.Shell' or arbitrary numeric memory addresses (e.g. 0x0c0c0c0c), as these indicate exploitation attempts.
  • Monitor for child processes of Internet Explorer (iexplore.exe) spawning cmd.exe or WScript.Shell-based execution, which is the post-exploitation pattern for this vulnerability.
  • The Metasploit module delivers a payload EXE via HTTP with Content-Type 'application/octet-stream'; detect User-Agent filtering for MSIE and .exe URI patterns in web server logs as indicators of exploit delivery.
  • The Metasploit module uses 'migrate -f' as InitialAutoRunScript; detect process migration activity (e.g. CreateRemoteThread into a new process) shortly after iexplore.exe payload execution.
  • Check for presence of MVT.dll loaded in iexplore.exe process space as evidence of the vulnerable control being active.
  • ·The ActiveX control reports Safe for Scripting = true via IObjectSafety, meaning Internet Explorer will allow remote scripting without additional prompts, broadening the attack surface.
  • ·Exploitation is confirmed against Internet Explorer 7, 8, and 9 on Windows Vista SP2 and Windows 2003 R2 SP2; detections should be scoped to these browser/OS combinations.
  • ·The vulnerability affects MVT versions before 6.4; version 6.3.0.1911 is the confirmed vulnerable build. Ensure version checks target this specific file version of MVT.dll.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.