CVE-2018-7756
published 2018-03-15CVE-2018-7756: RunExeFile.exe in the installer for DEWESoft X3 SP1 (64-bit) devices does not require authentication for sessions on TCP port 1999, which allows remote…
PriorityP181critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
62.47%
99.1th percentile
RunExeFile.exe in the installer for DEWESoft X3 SP1 (64-bit) devices does not require authentication for sessions on TCP port 1999, which allows remote attackers to execute arbitrary code or access internal commands, as demonstrated by a RUN command that launches a .EXE file located at an arbitrary external URL, or a "SETFIREWALL Off" command.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dewesoft | dewesoft | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated TCP connections to port 1999 on hosts running DEWESoft X3 SP1; any inbound session should be treated as suspicious given no authentication is required. ↗
- →Alert on known internal commands (RUN, RUNEX, GETFIREWALL, SETFIREWALL, KILL, USERNAME, SHUTDOWN, SENDKEYS, LIST, DWPIPE) transmitted over TCP/1999 to detect exploitation attempts. ↗
- →Detect process execution of RunExeFile.exe spawning child processes or making outbound HTTP/S connections to external URLs, which indicates the RUN command being abused to download and execute remote payloads. ↗
- →Flag SETFIREWALL Off commands on TCP/1999 as a high-severity indicator of an attacker disabling host firewall protections via the RunExeFile.exe interface. ↗
- ·The vulnerable component RunExeFile.exe is installed only when using the full installer; partial or custom installs may not deploy it to the default shared path. ↗
- ·The internal command set of RunExeFile.exe is undocumented by the vendor, meaning the full attack surface beyond the demonstrated commands may be broader than what is publicly known. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2018-03-15
Published