cbcvebase.
CVE-2012-5932
published 2012-12-24

CVE-2012-5932: Eval injection vulnerability in the ldapagnt_eval function in ldapagnt.dll in unifid.exe in NetIQ Privileged User Manager 2.3.x before 2.3.1 HF2 allows remote…

PriorityP276critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
62.75%
99.1th percentile
Eval injection vulnerability in the ldapagnt_eval function in ldapagnt.dll in unifid.exe in NetIQ Privileged User Manager 2.3.x before 2.3.1 HF2 allows remote attackers to execute arbitrary Perl code via a crafted application/x-amf request.

Affected

2 ranges
VendorProductVersion rangeFixed in
microfocusprivileged_user_manager
microfocusprivileged_user_manager

Detection & IOCsextracted from sources · hover to see the quote

port443
url/
filenameldapagnt.dll
processunifid.exe
path%WINDIR%/system32/
bytes
\x00\x00\x00\x00\x00\x01\x00\x15\x53\x50\x46\x2e\x55\x74
  • Detect exploitation attempts by inspecting HTTP POST requests to the target service with Content-Type 'application/x-amf' combined with the 'x-flash-version' header, which is the attack delivery mechanism for CVE-2012-5932.
  • Successful exploitation can be confirmed if the HTTP response body contains both 'onResult' and 'Invalid user name or password' along with version string '2.3.1', indicating a vulnerable and exploitable target.
  • Post-exploitation staging drops a .vbs file into %WINDIR%\system32\ and uses Microsoft.XMLHTTP to fetch a follow-on EXE payload; monitor for unexpected .vbs file creation in system32 and outbound HTTP from unifid.exe.
  • The exploit targets the ldapagnt_eval() function via a crafted AMF request; monitor unifid.exe for unexpected child process creation or outbound network connections, as successful exploitation grants SYSTEM privileges.
  • ·The Metasploit module defaults to SSL on port 443; detection rules must account for TLS-wrapped AMF traffic and may require SSL inspection to inspect the Content-Type and x-flash-version headers.
  • ·The exploit temporarily disables SSL to serve the EXE payload over HTTP on a secondary listener port (SRVPORT), so detection should also cover plain HTTP traffic from the victim host during the staging phase.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.