cbcvebase.
CVE-2013-10057
published 2025-08-01

CVE-2013-10057: A stack-based buffer overflow vulnerability exists in Synactis PDF In-The-Box ActiveX control (PDF_IN_1.ocx), specifically the ConnectToSynactis method. When a…

PriorityP352high7.5CVSS 4.0
AVNACLATPPRNUIAVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.12%
62.2th percentile
A stack-based buffer overflow vulnerability exists in Synactis PDF In-The-Box ActiveX control (PDF_IN_1.ocx), specifically the ConnectToSynactis method. When a long string is passed to this method—intended to populate the ldCmdLine argument of a WinExec call—a strcpy operation overwrites a saved TRegistry class pointer on the stack. This allows remote attackers to execute arbitrary code in the context of the user by enticing them to visit a malicious webpage that instantiates the vulnerable ActiveX control. The vulnerability was discovered via its use in third-party software such as Logic Print 2013.

Affected

1 ranges
VendorProductVersion rangeFixed in
synactispdf_in-the-box

Detection & IOCsextracted from sources · hover to see the quote

filenamePDF_IN_1.ocx
otherConnectToSynactis
  • Monitor for instantiation of the Synactis PDF In-The-Box ActiveX control (PDF_IN_1.ocx) from browser processes, particularly when the ConnectToSynactis method is invoked with an unusually long string argument.
  • Detect WinExec calls spawning a browser process from within PDF_IN_1.ocx context; the exploit causes an additional browser window to pop up as a side effect of the WinExec call used internally by the control.
  • Alert on strcpy-based stack corruption patterns in ActiveX controls loaded by Internet Explorer, specifically overwriting a saved TRegistry class pointer on the stack — a distinctive artifact of this exploit's memory corruption primitive.
  • Scope detection to Internet Explorer as the default browser; the exploit requires IE as the default browser to function correctly via the WinExec ldCmdLine path.
  • ·The exploit is delivered via a malicious webpage that instantiates the ActiveX control; exploitation requires the victim to browse to an attacker-controlled page using Internet Explorer as the default browser.
  • ·The vulnerability also affects third-party software bundling the component (e.g., Logic Print 2013), meaning PDF_IN_1.ocx may be registered on systems that do not have Synactis software installed directly.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.