cbcvebase.
CVE-2019-10123
published 2019-05-31

CVE-2019-10123: SQL Injection in Advanced InfoData Systems (AIS) ESEL-Server 67 (which is the backend for the AIS logistics mobile app) allows an anonymous attacker to execute…

PriorityP179critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
65.85%
99.2th percentile
SQL Injection in Advanced InfoData Systems (AIS) ESEL-Server 67 (which is the backend for the AIS logistics mobile app) allows an anonymous attacker to execute arbitrary code in the context of the user of the MSSQL database. The default user for the database is the 'sa' user.

Affected

1 ranges
VendorProductVersion rangeFixed in
aislogistic_software<= 67

Detection & IOCsextracted from sources · hover to see the quote

port5099
port5100
commandEXEC master..xp_cmdshell '#{cmd}'
otherZugangsdaten OK
otherZugangsdaten Falsch
processwcsript.exe
bytes
\xFF + 000000 + \xFF + 20180810213226 + \xFF + 01 + \xFF + 60 + \xFF + 02 + \xFF + 1111 + \xFF + <pw> + \xFF + AAAAA + \xFF + 120
  • Monitor TCP traffic to/from port 5099 (and 5100) for login messages containing the 0xFF delimiter pattern with embedded SQL injection payloads (e.g., single-quote followed by SQL keywords such as OR, EXEC, xp_cmdshell).
  • Alert on xp_cmdshell enablement and execution attempts originating from the ESEL server process or MSSQL 'sa' user context, as the exploit explicitly enables and calls xp_cmdshell to achieve RCE.
  • Look for payload executables dropped in the %TEMP% folder of the user running the ESEL server, as the exploit leaves a payload executable behind after execution.
  • Detect wcsript.exe (note: likely a typo for wscript.exe) spawned as a child of the MSSQL or ESEL server process, as the VBS CmdStager uses it to reconstruct and execute the payload.
  • The ESEL login protocol uses 0xFF as a field delimiter with a fixed structure including the literal timestamp '20180810213226' and fields '000000', '01', '60', '02', '1111', 'AAAAA', '120'. Network signatures matching this structure on port 5099 can identify ESEL traffic for deeper inspection.
  • ·The exploit targets the default 'sa' MSSQL user. If the ESEL server has been configured to use a lower-privileged database account, xp_cmdshell enablement and OS command execution may fail, reducing the impact of exploitation.
  • ·The module was verified on ESEL-Server version 67 but is expected to work on lower versions as well. A fixed version was released by AIS in September 2017, but many systems remain unpatched.
  • ·The CmdStager flavor is VBS ('wcsript.exe'), meaning endpoint defenses that block or monitor wscript.exe/VBScript execution will interrupt the payload delivery chain.
  • ·The protocol imposes no maximum data size limit, meaning arbitrarily large payloads can be sent in a single login message without fragmentation constraints.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.