CVE-2018-6911
published 2018-02-13CVE-2018-6911: The VBWinExec function in Node\AspVBObj.dll in Advantech WebAccess 8.3.0 allows remote attackers to execute arbitrary OS commands via a single argument (aka…
PriorityP275critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
13.03%
95.9th percentile
The VBWinExec function in Node\AspVBObj.dll in Advantech WebAccess 8.3.0 allows remote attackers to execute arbitrary OS commands via a single argument (aka the command parameter).
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| advantech | webaccess | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for invocations of the VBWinExec function exported from AspVBObj.dll (COM class GUID {55F52D11-CEA5-4D6C-9912-2C8FA03275CE}); any call to this function from a web/browser context should be treated as exploitation of CVE-2018-6911. ↗
- →The COM object is registered with KillBitSet: False and RegKey Safe for Script: False — hunt for browser-initiated COM instantiation of class 'Include' (GUID {55F52D11-CEA5-4D6C-9912-2C8FA03275CE}) in process trees originating from IE or other browsers. ↗
- →Alert on child processes (e.g. calc.exe, cmd.exe, powershell.exe) spawned by the Advantech WebAccess Node service or any browser process that has loaded AspVBObj.dll from C:\WebAccess\Node\. ↗
- ·Exploitation requires the attacker to be able to instantiate the COM object (class 'Include') via script — this is only possible if the ActiveX control is accessible from the browser context (e.g. IE with appropriate zone settings). Scope detection efforts accordingly. ↗
- ·The vulnerability is confirmed only in Advantech WebAccess version 8.3.0; verify the installed version before applying detections to avoid false positives on patched or different versions. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2018-02-13
Published