What is CVE-2014-0780?

CVE-2014-0780 is a vulnerability in Indusoft Web Studio, classified under Path Traversal. Published 2014-04-25.

Is CVE-2014-0780 known to be exploited?

Yes. CVE-2014-0780 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2022-04-15), indicating it is being actively exploited. 2 public proof-of-concept repositories are indexed.

Path Traversal in Indusoft Web Studio

CVE-2014-0780

Directory traversal vulnerability in NTWebServer in InduSoft Web Studio 7.1 before SP2 Patch 4 allows remote attackers to read administrative passwords in APP files, and consequently execute arbitrary code, via unspecified web requests.

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.892 (99.6th percentile) — read the EPSS interpretation.

Affected products

Indusoft Web Studio — versions 7.1

Weakness classification (CWE)

CWE-22 — Path Traversal

CISA KEV (Known Exploited Vulnerabilities)

This CVE is on the CISA KEV catalog, added on 2022-04-15. CISA KEV inclusion means CISA has confirmed in-the-wild exploitation; US federal agencies are required to remediate within a published due date.

BOD 22-01 due date: 2022-05-06.

Required action: Apply updates per vendor instructions.

Public proof-of-concept exploits

References

42699 (exploit, x_refsource_EXPLOIT-DB)
www.cisa.gov/news-events/ics-advisories/icsa-14-107-02
67056 (vdb-entry, x_refsource_BID)
download.indusoft.com/71.2.4/IWS71.2.4.zip

Frequently asked questions

What is CVE-2014-0780?: CVE-2014-0780 is a vulnerability in Indusoft Web Studio, classified under Path Traversal. Published 2014-04-25.
Is CVE-2014-0780 known to be exploited?: Yes. CVE-2014-0780 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2022-04-15), indicating it is being actively exploited. 2 public proof-of-concept repositories are indexed.