InduSoft Web Studio < v8.1 + SP3 Remote Command Injection Vulnerability
critical Nessus Network Monitor Plugin ID 701080
New! Plugin Severity Now Using CVSS v3
The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.
A vulnerable version of InduSoft Web Studio has been detected.
InduSoft Web Studio versions prior to v8.1 + SP3 contain unauthenticated remote command injection vulnerability. An attacker can issue a specially crafted command 66 which causes IWS to load a DB connection file off of a network share using SMB. The DB file can contain OS commands that will be executed at the privilege level used by IWS.