cbcvebase.
CVE-2019-6543
published 2019-02-13

CVE-2019-6543: AVEVA Software, LLC InduSoft Web Studio prior to Version 8.1 SP3 and InTouch Edge HMI (formerly InTouch Machine Edition) prior to Version 2017 Update. Code is…

PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
17.29%
96.7th percentile
AVEVA Software, LLC InduSoft Web Studio prior to Version 8.1 SP3 and InTouch Edge HMI (formerly InTouch Machine Edition) prior to Version 2017 Update. Code is executed under the program runtime privileges, which could lead to the compromise of the machine.

Affected

5 ranges
VendorProductVersion rangeFixed in
avevaindusoft_web_studio
avevaindusoft_web_studio
avevaindusoft_web_studio
avevaindusoft_web_studio
avevaintouch_machine_edition_2014

Detection & IOCsextracted from sources · hover to see the quote

filenameDB.xdc
commandDBProcessCall command 66
urlhttp://download.indusoft.com/81.3.0/IWS81.3.0.zip
bytes
\x02\x31\x10\x31\x10\x38\x10\x31\x10\x31\x03
bytes
\x02\x42 ... \x03
  • Detect unauthenticated DBProcessCall command 66 (0x42) messages on the InduSoft Web Studio agent port; the protocol frame starts with 0x02 0x42 and ends with 0x03.
  • Monitor for outbound SMB (port 445) connections originating from InduSoft Web Studio / InTouch Edge HMI processes, which may indicate the agent is fetching a remote malicious DB.xdc configuration file.
  • Alert on SMB share name 'LOLWAT' appearing in network traffic or logs, as used in the published PoC exploit to serve the malicious DB.xdc file.
  • Look for the connection initialisation byte sequence 0x02 0x31 0x10 0x31 0x10 0x38 0x10 0x31 0x10 0x31 0x03 on the InduSoft agent port as a precursor to exploitation.
  • ·CVSS v3 base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting full network-exploitability with no privileges or user interaction required.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.