cbcvebase.
CVE-2017-16237
published 2017-11-03

CVE-2017-16237: In Vir.IT eXplorer Anti-Virus before 8.5.42, the driver file (VIAGLT64.SYS) contains an Arbitrary Write vulnerability because of not validating input values…

PriorityP273high7.8CVSS 3.0
AVLACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.46%
70.2th percentile
In Vir.IT eXplorer Anti-Virus before 8.5.42, the driver file (VIAGLT64.SYS) contains an Arbitrary Write vulnerability because of not validating input values from IOCtl 0x8273007C.

Affected

1 ranges
VendorProductVersion rangeFixed in
tgsoftvir.it_explorer< 8.5.428.5.42

Detection & IOCsextracted from sources · hover to see the quote

filenameVIAGLT64.SYS
otherIOCtl 0x8273007C
path\\.\viragtlt
commandDeviceIoControl(hDevice, 0x8273007C, input, sizeof(input), NULL, 0, &dwRetBytes, NULL)
processwinlogon.exe
bytes
\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60
  • ·The _SEP_TOKEN_PRIVILEGES offset (0x40) used in the exploit is hardcoded and may vary across different Windows kernel versions, potentially limiting reliability on untested OS builds.

CVSS provenance

nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.