cbcvebase.
CVE-2013-0658
published 2013-02-15

CVE-2013-0658: Heap-based buffer overflow in RFManagerService.exe in Schneider Electric Accutech Manager 2.00.1 and earlier allows remote attackers to execute arbitrary code…

PriorityP269critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
21.53%
97.3th percentile
Heap-based buffer overflow in RFManagerService.exe in Schneider Electric Accutech Manager 2.00.1 and earlier allows remote attackers to execute arbitrary code via a crafted HTTP request.

Affected

1 ranges
VendorProductVersion rangeFixed in
schneider-electricaccutech_manager<= 2.00.1

Detection & IOCsextracted from sources · hover to see the quote

processRFManagerService.exe
port2537/TCP
port2536/TCP
commandGET /<400-byte overflow payload> HTTP/1.1
bytes
\x41 * 400 (400-byte 'A' buffer in HTTP GET path)
  • Monitor for oversized HTTP GET requests (≥400 bytes in the URL path) sent to TCP port 2537 targeting RFManagerService.exe; the PoC triggers the overflow by placing a 400-byte buffer in the GET path.
  • The vulnerable function sub_40E006 copies the HTTP GET path data into a statically-sized heap buffer; crash manifests as an access violation with EIP/ECX pointing to attacker-controlled 0x41414141 values.
  • Alert on any inbound TCP connections to port 2537 from untrusted/external networks; CISA explicitly recommends ensuring this port is not accessible from the Internet.
  • Crash signature to look for in process monitoring: RFManagerService.exe access violation with register values eax=41414141 and ecx=41414141, indicating heap corruption from the overflow.
  • ·RFManagerService.exe binds to both TCP 2536 and TCP 2537 by default; only port 2537 is the documented attack vector for this CVE, but both ports should be firewalled from untrusted networks.
  • ·Affected versions are Accutech Manager 2.00.1 and older; the PoC was written against version 1.89.2, confirming multiple older releases are vulnerable.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.