When the "HKEY_CURRENT_USER\Software\Classes\exefile" registry key is modified by this exploit and a Windows or third party service calls to the "ShellExecute" function, an invalid association file is produced, finalizing the attack with the execution of a crafted program instead of the original program.



This update fixes a regression introduced in version 2016_R1.

This module exploits a remote code execution vulnerability in Joomla. The session handling code is susceptible to PHP Object Injection attacks due to lack of sanitization in some HTTP headers that are saved to the database session backend.



This update fixes an issue which made the exploit abort before running.

This module exploits a directory traversal vulnerability in Novell ServiceDesk. The specific flaw is located in the import functionality provided to a user. Authenticated users can upload and execute arbitrary JSP files via a .. (dot dot) in a filename within a multipart/form-data POST request to a LiveTime.woa URL.

This vulnerability allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method.

Combining this with log injection, remote code execution can be achieved.

Make agent persistent and WMI module enhancement in connection type HTTP proxy - aware

A certain message parsing function inside the Dameware Mini Remote Control service does not properly validate the input size of an incoming string before passing it to wsprintfw().

This module uses an unauthenticated deserialization vulnerability in Magento eCommerce Web Sites to perform an arbitrary write file to gain arbitrary PHP code execution on the affected system.

This module exploits an arbitrary file upload vulnerability in Advantech WebAccess. The specific flaw exists within the WebAccess Dashboard Viewer. Insufficient validation within the FileUpload script allows unauthenticated callers to upload arbitrary code to directories in the server where the code can be automatically executed under the high-privilege context of the IIS AppPool.



Authentication is not required to exploit this vulnerability.

The DefaultActionMapper class in Apache Struts 2 supports a Dynamic Method Invocation feature via the "method:" prefix. The information contained in this prefix is not properly sanitized before being evaluated as OGNL expressions on the server side, which allows remote attackers to execute arbitrary Java code on the server.



This module exploits the vulnerability in any web application built on top of vulnerable versions of the Apache Struts 2 framework with the "struts.enable.DynamicMethodInvocation" configuration parameter in struts.xml set to True.

This update contains improvements to our agents to reduce detection rates against some antiviruses.