cbcvebase.
CVE-2015-0925
published 2015-01-22

CVE-2015-0925: The client in iPass Open Mobile before 2.4.5 on Windows allows remote authenticated users to execute arbitrary code via a DLL pathname in a crafted Unicode…

PriorityP266critical9CVSS 2.0
AVNACLAuSCCICAC
EXPLOIT
EPSS
52.13%
98.8th percentile
The client in iPass Open Mobile before 2.4.5 on Windows allows remote authenticated users to execute arbitrary code via a DLL pathname in a crafted Unicode string that is improperly handled by a subprocess reached through a named pipe, as demonstrated by a UNC share pathname.

Affected

1 ranges
VendorProductVersion rangeFixed in
ipassipass_open_mobile<= 2.4.4

Detection & IOCsextracted from sources · hover to see the quote

path\IPEFSYSPCPIPE
path\IPEFSYSPCPIPE
commandiPass.SWUpdateAssist.RegisterCOM <UNC>
commandSystem.Echo <random>
commandLaunchAppSysMode
  • Monitor for SMB named pipe connections to \IPEFSYSPCPIPE — this pipe is accessible by BUILTIN\Users and is the attack vector for CVE-2015-0925.
  • Alert on Unicode-encoded writes to \IPEFSYSPCPIPE containing UNC share paths (\\server\share\*.dll), which indicate an attempt to force the iPass service to load a remote DLL.
  • Detect the iPass.SWUpdateAssist.RegisterCOM command sent over the named pipe with a UNC path argument — this is the specific exploit primitive used to trigger remote DLL loading.
  • Detect the LaunchAppSysMode command sent over \IPEFSYSPCPIPE by non-SYSTEM processes — this command enables arbitrary command execution as SYSTEM.
  • Monitor for outbound SMB connections (port 445) originating from the iPass client service process (e.g., iPassPeriodicUpdater or similar), which may indicate the service is fetching a DLL from an attacker-controlled share.
  • The exploit check phase sends a System.Echo command over the pipe and looks for the echoed value in the response — repeated pipe open/write/read/close cycles on \IPEFSYSPCPIPE from a user-context process are a behavioural indicator.
  • ·The vulnerability only affects iPass Open Mobile versions before 2.4.5 on Windows; patched versions are not exploitable via this named pipe abuse.
  • ·Exploitation requires the attacker to be a remote authenticated user (member of BUILTIN\Users); unauthenticated or anonymous access to the pipe is not sufficient.
  • ·The Metasploit module uses a randomly generated 7-character DLL filename and a randomly named SMB share for each run, so static filename/share-name IOCs are not reliable for detection.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.