cbcvebase.
CVE-2019-6453
published 2019-02-18

CVE-2019-6453: mIRC before 7.55 allows remote command execution by using argument injection through custom URI protocol handlers. The attacker can specify an irc:// URI that…

PriorityP271high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
71.78%
99.3th percentile
mIRC before 7.55 allows remote command execution by using argument injection through custom URI protocol handlers. The attacker can specify an irc:// URI that loads an arbitrary .ini file from a UNC share pathname. Exploitation depends on browser-specific URI handling (Chrome is not exploitable).

Affected

1 ranges
VendorProductVersion rangeFixed in
mircmirc< 7.557.55

Detection & IOCsextracted from sources · hover to see the quote

filenameFILE1337.dll
commandorigin://?" -reverse "
commandorigin://?" -Origin_MultipleInstances "
commandorigin://?" /noUpdate "
commandorigin://?" /StartClientMinimized /noUpdate -Origin_MultipleInstances "
  • mIRC CVE-2019-6453 is exploitable via irc:// URI handlers loading arbitrary .ini files from UNC share pathnames; monitor for mIRC process launches with UNC path arguments (\\server\share\*.ini).
  • Monitor for Origin.exe or mIRC.exe spawned with -platformpluginpath pointing to a UNC/remote Windows share path, which indicates remote DLL plugin loading for code execution.
  • Alert on process creation events where Origin.exe is launched with /noUpdate and /StartClientMinimized flags combined, as this is a known evasion pattern used in exploitation.
  • CVE-2019-6453 exploitation does not work on Chrome (URI is encoded before being passed to the application); focus detection on Edge and Firefox browser process trees spawning mIRC or Origin.
  • Monitor SMB/UNC share access (\\<remote>\imageformats\*.dll) initiated by Origin.exe or mIRC.exe, indicating remote Qt plugin loading as part of exploitation.
  • ·Exploitation of CVE-2019-6453 is browser-dependent: Chrome encodes URIs before passing to the application, preventing argument injection. Edge and Firefox are confirmed vulnerable.
  • ·The vulnerability affects mIRC versions prior to 7.55 only; patched in 7.55.
  • ·Remote Qt plugin loading requires the backdoored DLL to reside within a valid Qt plugin subdirectory (e.g., imageformats/) on the remote share; a valid .qtmetad section is required for the DLL to be loaded.

CVSS provenance

nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.