cbcvebase.
CVE-2019-3980
published 2019-10-08

CVE-2019-3980: The Solarwinds Dameware Mini Remote Client agent v12.1.0.89 supports smart card authentication which can allow a user to upload an executable to be executed on…

PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
5.18%
91.4th percentile
The Solarwinds Dameware Mini Remote Client agent v12.1.0.89 supports smart card authentication which can allow a user to upload an executable to be executed on the DWRCS.exe host. An unauthenticated, remote attacker can request smart card login and upload and execute an arbitrary executable run under the Local System account.

Affected

1 ranges
VendorProductVersion rangeFixed in
solarwindsdameware_mini_remote_control

Detection & IOCsextracted from sources · hover to see the quote

pathC:\Windows\Temp\dwDrvInst.exe
filenamedwDrvInst.exe
processDWRCS.exe
  • Monitor for creation of dwDrvInst.exe in C:\Windows\Temp\ — this is the dropped payload path used by exploitation of CVE-2019-3980 via the DWRCS.exe smart card authentication code path.
  • Alert on any process spawned by DWRCS.exe running under the Local System account, especially unexpected child processes, as exploitation results in arbitrary code execution under Local System.
  • Detect unauthenticated smart card login requests to DWRCS.exe from external/untrusted sources — the attack vector abuses the smart card authentication flow to upload and execute files without prior authentication.
  • ·Smart card authentication is enabled by default in the affected agent, meaning the vulnerable code path is active out-of-the-box without any additional configuration by the administrator.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.