CVE-2009-1429

Symantec AntiVirus < 9.0 and 10.0-10.1 - Remote Code Execution via Crafted Packet

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2009-1429. PoCs published by Metasploit, kingcope, MC, including Metasploit module exploits/windows/antivirus/ams_xfr.

AI-analyzed exploit summary This Metasploit module exploits a command injection vulnerability in Symantec System Center Alert Management System (xfr.exe) by sending a maliciously crafted packet to port 12174, allowing arbitrary command execution. It supports both direct command execution and a staged payload via TFTP.

Description

The Intel LANDesk Common Base Agent (CBA) in Symantec Alert Management System 2 (AMS2), as used in Symantec System Center (SSS); Symantec AntiVirus Server; Symantec AntiVirus Central Quarantine Server; Symantec AntiVirus (SAV) Corporate Edition 9 before 9.0 MR7, 10.0 and 10.1 before 10.1 MR8, and 10.2 before 10.2 MR2; Symantec Client Security (SCS) 2 before 2.0 MR7 and 3 before 3.1 MR8; and Symantec Endpoint Protection (SEP) before 11.0 MR3, allows remote attackers to execute arbitrary commands via a crafted packet whose contents are interpreted as a command to be launched in a new process by the CreateProcessA function.

Exploits (3)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotewindows

https://www.exploit-db.com/exploits/17699

View Code ZIP pw:eip

This Metasploit module exploits a command injection vulnerability in Symantec System Center Alert Management System (xfr.exe) by sending a maliciously crafted packet to port 12174, allowing arbitrary command execution. It supports both direct command execution and a staged payload via TFTP.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Symantec System Center Alert Management System (xfr.exe)

No auth needed

Prerequisites: Network access to port 12174 on the target system

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by kingcope · perlremotewindows

https://www.exploit-db.com/exploits/10340

View Code ZIP pw:eip

This exploit targets a command injection vulnerability in Symantec's AMS2 component, allowing remote command execution with SYSTEM privileges via TCP port 12174. It includes multiple attack modes such as adding users, downloading/executing payloads, and testing connectivity.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Symantec Alert Management Systems 2 (AMS2) component in multiple Symantec products

No auth needed

Prerequisites: Network access to TCP port 12174 on the target system

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1105 - Ingress Tool Transfer T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by MC · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/antivirus/ams_xfr.rb

View Code ZIP pw:eip

This Metasploit module exploits a command injection vulnerability in Symantec System Center Alert Management System (xfr.exe) by sending a maliciously crafted packet to execute arbitrary commands on the target system.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Symantec System Center Alert Management System (xfr.exe)

No auth needed

Prerequisites: Network access to the target system on port 12174

MITRE ATT&CK