cbcvebase.
CVE-2018-6911
published 2018-02-13

CVE-2018-6911: The VBWinExec function in Node\AspVBObj.dll in Advantech WebAccess 8.3.0 allows remote attackers to execute arbitrary OS commands via a single argument (aka…

PriorityP275critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
13.03%
95.9th percentile
The VBWinExec function in Node\AspVBObj.dll in Advantech WebAccess 8.3.0 allows remote attackers to execute arbitrary OS commands via a single argument (aka the command parameter).

Affected

1 ranges
VendorProductVersion rangeFixed in
advantechwebaccess

Detection & IOCsextracted from sources · hover to see the quote

pathC:\WebAccess\Node\AspVBObj.dll
otherGUID: {55F52D11-CEA5-4D6C-9912-2C8FA03275CE}
commandrce.VBWinExec("calc")
  • Monitor for invocations of the VBWinExec function exported from AspVBObj.dll (COM class GUID {55F52D11-CEA5-4D6C-9912-2C8FA03275CE}); any call to this function from a web/browser context should be treated as exploitation of CVE-2018-6911.
  • The COM object is registered with KillBitSet: False and RegKey Safe for Script: False — hunt for browser-initiated COM instantiation of class 'Include' (GUID {55F52D11-CEA5-4D6C-9912-2C8FA03275CE}) in process trees originating from IE or other browsers.
  • Alert on child processes (e.g. calc.exe, cmd.exe, powershell.exe) spawned by the Advantech WebAccess Node service or any browser process that has loaded AspVBObj.dll from C:\WebAccess\Node\.
  • ·Exploitation requires the attacker to be able to instantiate the COM object (class 'Include') via script — this is only possible if the ActiveX control is accessible from the browser context (e.g. IE with appropriate zone settings). Scope detection efforts accordingly.
  • ·The vulnerability is confirmed only in Advantech WebAccess version 8.3.0; verify the installed version before applying detections to avoid false positives on patched or different versions.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.