cbcvebase.
CVE-2019-6545
published 2019-02-13

CVE-2019-6545: AVEVA Software, LLC InduSoft Web Studio prior to Version 8.1 SP3 and InTouch Edge HMI (formerly InTouch Machine Edition) prior to Version 2017 Update. An…

PriorityP263high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EXPLOIT
EPSS
13.86%
96.1th percentile
AVEVA Software, LLC InduSoft Web Studio prior to Version 8.1 SP3 and InTouch Edge HMI (formerly InTouch Machine Edition) prior to Version 2017 Update. An unauthenticated remote user could use a specially crafted database connection configuration file to execute an arbitrary process on the server machine.

Affected

5 ranges
VendorProductVersion rangeFixed in
avevaindusoft_web_studio
avevaindusoft_web_studio
avevaindusoft_web_studio
avevaindusoft_web_studio
avevaintouch_machine_edition_2014

Detection & IOCsextracted from sources · hover to see the quote

filenameDB.xdc
commandDBProcessCall command 66 (0x42)
port445
urlhttp://download.indusoft.com/81.3.0/IWS81.3.0.zip
bytes
\x02\x42 ... \x03
bytes
\x02\x31\x10\x31\x10\x38\x10\x31\x10\x31\x03
  • Detect unauthenticated DBProcessCall command 66 (0x42) messages on the InduSoft Web Studio agent port; the protocol frame starts with 0x02 0x42 and ends with 0x03.
  • Alert on outbound SMB (TCP/445) connections originating from the InduSoft Web Studio process, which would indicate the agent is fetching a remote DB.xdc configuration file from an attacker-controlled SMB share.
  • Monitor for the connection initialization handshake byte sequence 0x02 0x31 0x10 0x31 0x10 0x38 0x10 0x31 0x10 0x31 0x03 on the InduSoft agent port as a precursor to exploitation.
  • Flag any UNC path arguments (e.g., \\<remote_ip>\<share>\DB) embedded in DBProcessCall messages, as the exploit passes a remote SMB path to load the malicious DB.xdc file.
  • ·The exploit uses an SMB share named 'LOLWAT' and serves a file named 'DB' (DB.xdc); the share name is attacker-controlled and will vary in real attacks — do not rely solely on the share name for detection.
  • ·CISA noted no known public exploits specifically targeted these vulnerabilities at advisory publication time (Feb 2019), but a public PoC was simultaneously released on Exploit-DB.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.