cbcvebase.
CVE-2015-1497
published 2015-02-16

CVE-2015-1497: radexecd.exe in Persistent Systems Radia Client Automation (RCA) 7.9, 8.1, 9.0, and 9.1 allows remote attackers to execute arbitrary commands via a crafted…

PriorityP183critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
75.12%
99.4th percentile
radexecd.exe in Persistent Systems Radia Client Automation (RCA) 7.9, 8.1, 9.0, and 9.1 allows remote attackers to execute arbitrary commands via a crafted request to TCP port 3465.

Affected

4 ranges
VendorProductVersion rangeFixed in
persistent_systemsradia_client_automation
persistent_systemsradia_client_automation
persistent_systemsradia_client_automation
persistent_systemsradia_client_automation

Detection & IOCsextracted from sources · hover to see the quote

  • Detect unauthenticated TCP connections to port 3465 followed by a null-byte-delimited request containing the token 'hide hide' — this is the command injection trigger pattern used by all known exploits for CVE-2015-1497.
  • Alert on any TCP stream to port 3465 where the payload contains the byte sequence 0x68 0x69 0x64 0x65 0x20 0x68 0x69 0x64 0x65 ('hide hide') followed by a tab character (0x09), indicating command injection.
  • On Windows targets, monitor for radexecd.exe spawning cmd.exe with net user, net localgroup, netsh firewall, or reg add commands — these are the post-exploitation commands injected via the vulnerability.
  • On Linux targets, monitor for radexecd spawning sh -c with useradd or python reverse-shell one-liners as child processes.
  • The Metasploit module uses a VBS cmdstager (flavor: vbs, linemax: 290) on Windows targets; detect creation of .vbs stager files in temp directories by processes descended from radexecd.exe.
  • The exploit-db module (36206) drops a file named installservice.exe on an attacker-controlled SMB share and instructs the vulnerable host to fetch and execute it; monitor for radexecd.exe making outbound SMB (port 445) connections.
  • ·The vulnerability exists because radexecd.exe does not authenticate execution requests by default; enabling authentication (RBAC/Remote Notify security controls) mitigates the issue without patching.
  • ·The vendor advisory URL referenced in the Metasploit module points to Accelerite's guidance on enabling RBAC and Remote Notify security features as the recommended hardening measure.
  • ·All four product versions (7.9, 8.1, 9.0, 9.1) are affected across both Windows and Linux platforms, so detection rules should not be scoped to a single OS or version.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.