cbcvebase.
CVE-2014-4936
published 2014-12-16

CVE-2014-4936: The upgrade functionality in Malwarebytes Anti-Malware (MBAM) consumer before 2.0.3 and Malwarebytes Anti-Exploit (MBAE) consumer 1.04.1.1012 and earlier allow…

PriorityP264critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
16.78%
96.6th percentile
The upgrade functionality in Malwarebytes Anti-Malware (MBAM) consumer before 2.0.3 and Malwarebytes Anti-Exploit (MBAE) consumer 1.04.1.1012 and earlier allow man-in-the-middle attackers to execute arbitrary code by spoofing the update server and uploading an executable.

Affected

2 ranges
VendorProductVersion rangeFixed in
malwarebytesmalwarebytes_anti-exploit<= 1.04.1.1012
malwarebytesmalwarebytes_anti-malware<= 2.02

Detection & IOCsextracted from sources · hover to see the quote

domaindata-cdn.mbamupdates.com
  • Detect spoofed update responses by monitoring for HTTP responses to requests destined for data-cdn.mbamupdates.com that serve Content-Type: application/x-msdos-program or application/octet-stream — indicative of a malicious executable being delivered in place of a legitimate update.
  • Alert on MBAM/MBAE update traffic (User-Agent containing 'base:<version>') being served over plain HTTP (port 80) rather than HTTPS, which is a prerequisite for this MITM attack.
  • Flag DNS resolutions or HTTP connections to data-cdn.mbamupdates.com resolving to unexpected/non-Malwarebytes IP addresses, as the attack requires spoofing this update server.
  • ·The Metasploit module explicitly disables SSL/TLS options, confirming the vulnerable update channel operates over plain HTTP only — detection should focus on unencrypted port 80 traffic to the update domain.
  • ·The exploit module notes that MBAM versions at or below 2.0.2.1012 and MBAE versions at or below 1.03.1.1220 are vulnerable; versions beyond these thresholds are reported as not vulnerable by the module itself.
  • ·The URIPATH is hardcoded to '/' and cannot be changed by the attacker using this module, meaning the malicious update server responds on the root URI path.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.