cbcvebase.
CVE-2014-1649
published 2014-05-16

CVE-2014-1649: The server in Symantec Workspace Streaming (SWS) before 7.5.0.749 allows remote attackers to access files and functionality by sending a crafted XMLRPC request…

PriorityP263high7.9CVSS 2.0
AVAACMAuNCCICAC
EXPLOIT
EPSS
42.31%
98.5th percentile
The server in Symantec Workspace Streaming (SWS) before 7.5.0.749 allows remote attackers to access files and functionality by sending a crafted XMLRPC request over HTTPS.

Affected

2 ranges
VendorProductVersion rangeFixed in
symantecworkspace_streaming<= 7.5.0
symantecworkspace_streaming

Detection & IOCsextracted from sources · hover to see the quote

port9855
port9832
url/xmlrpc
processas_agent.exe
processas_ste.exe
commandManagementAgentServer.putFile
commandManagementAgentServer.getFile
other*AWESE
path../server/appstream/deploy/
bytes
\xac\xed\x00\x05
  • Detect unauthenticated HTTPS POST requests to /xmlrpc on port 9855 containing XMLRPC method calls to ManagementAgentServer.putFile or ManagementAgentServer.getFile — these indicate exploitation of CVE-2014-1649.
  • Look for Java serialized object streams (magic bytes 0xACED0005) in XMLRPC POST body payloads to /xmlrpc on port 9855, indicating a serialized com.appstream.cm.general.FileInfo object being uploaded.
  • Alert on the server root token '*AWESE' appearing in XMLRPC request bodies to the as_agent.exe service — this is a fixed exploit artifact used to reference the server root directory.
  • Monitor for WAR file creation or HTTP requests to the JBoss auto-deploy path ../server/appstream/deploy/ on port 9832 (as_ste.exe), which indicates the second stage of the exploit achieving RCE.
  • Monitor for the class name 'com.appstream.cm.general.FileInfo' in network traffic or serialized payloads, as it is the specific Java class used to wrap the malicious file upload.
  • ·The exploit targets port 9855 (as_agent.exe) for the initial XMLRPC file upload and port 9832 (as_ste.exe/JBoss) for WAR auto-deploy RCE. Both ports must be monitored; the attack is a two-stage chain across these two services.
  • ·The vulnerability is exploitable in both single-machine and multi-machine (backend role) deployments of Symantec Workspace Streaming, so detection rules should not be scoped only to standalone servers.
  • ·The exploit is delivered over HTTPS, so TLS inspection is required to detect the malicious XMLRPC payload in transit.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.