cbcvebase.
CVE-2013-2827
published 2014-01-15

CVE-2013-2827: An unspecified ActiveX control in WellinTech KingSCADA before 3.1.2, KingAlarm&Event before 3.1, and KingGraphic before 3.1.2 allows remote attackers to…

PriorityP262high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
49.23%
98.7th percentile
An unspecified ActiveX control in WellinTech KingSCADA before 3.1.2, KingAlarm&Event before 3.1, and KingGraphic before 3.1.2 allows remote attackers to download arbitrary DLL code onto a client machine and execute this code via the ProjectURL property value.

Affected

3 ranges
VendorProductVersion rangeFixed in
wellintechkingalarm_event<= 2.0.2
wellintechkinggraphic<= 3.1
wellintechkingscada<= 3.1

Detection & IOCsextracted from sources · hover to see the quote

filenamekxClientDownload.ocx
path/libs/*.dll
port8130/TCP
  • Monitor for HTTP requests matching the pattern /libs/*.dll being served from an attacker-controlled web server to KingScada clients — this is the delivery path for the malicious DLL payload in exploit modules targeting this CVE.
  • Detect exploitation attempts by monitoring for the kxClientDownload.ocx ActiveX control being instantiated in Internet Explorer (MSIE) or the KingScada client browser (KXCLIE user-agent), especially when the ProjectURL property is set to a remote/external URL.
  • Alert on LoadLibrary calls originating from the kxClientDownload.ocx process loading DLLs from user-writable or temp directories, which is the mechanism of code execution for this vulnerability.
  • Monitor for process migration activity (migrate -f) immediately after browser-based exploitation, as the Metasploit module sets 'migrate -f' as the InitialAutoRunScript to escape the browser process.
  • ·Exploitation only succeeds when Internet Explorer Protected Mode is disabled; detections based on browser process behavior should account for this prerequisite.
  • ·The exploit targets Windows clients running Internet Explorer (MSIE) or the KingScada native client browser (KXCLIE); non-Windows or non-IE environments are not affected by this specific attack vector.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.