cbcvebase.
CVE-2017-3195
published 2017-12-16

CVE-2017-3195: Commvault Edge Communication Service (cvd) prior to version 11 SP7 or version 11 SP6 with hotfix 590 is prone to a stack-based buffer overflow vulnerability…

PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
21.39%
97.3th percentile
Commvault Edge Communication Service (cvd) prior to version 11 SP7 or version 11 SP6 with hotfix 590 is prone to a stack-based buffer overflow vulnerability that could lead to arbitrary code execution with administrative privileges.

Affected

5 ranges
VendorProductVersion rangeFixed in
commvaultcommvault<= 11.0
commvaultcommvault
commvaultedge
commvaultservice_pack_6
commvaultservice_pack_6

Detection & IOCsextracted from sources · hover to see the quote

port8400
command41 * 0xd0 (208-byte 'A' overflow pattern sent in pkt3)
processcvd.exe
bytes
0000003800000010000000100000000f00000000000000000000000000000000000000000000000000000000000000010000000000000000
bytes
0000100309000101090000000000ffe80000000800010000
bytes
0000100309000509000000090000ffe800000036
bytes
53534c634c6e54
  • Monitor for TCP connections to port 8400 (Commvault Edge cvd service) originating from unexpected or external hosts, especially those sending oversized packets matching the three-stage handshake pattern in the PoC.
  • Detect stack-based buffer overflow attempt: look for a payload segment in the third packet (pkt3) beginning with hex 53534c634c6e54 followed by a large block of repeated 0x41 bytes (208+ bytes) on port 8400.
  • The exploit targets the Commvault Edge Communication Service (cvd) process; monitor for abnormal child processes or privilege escalation events spawned by cvd.exe.
  • ·The PoC hardcodes a target IP (10.101.0.85); real-world attacks will vary the destination IP. Detection should focus on the packet content and port, not the IP.
  • ·Vulnerable versions are Commvault Edge cvd prior to 11 SP7, or 11 SP6 without hotfix 590. Patched installations are not affected.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.