CVE-2009-1430

Symantec AntiVirus and Client Security - Remote Code Execution via Crafted Packet

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2009-1430. PoCs published by Metasploit, MC, including Metasploit module exploits/windows/antivirus/symantec_iao.

AI-analyzed exploit summary This exploit targets a stack buffer overflow in Symantec Alert Management System's Intel Alert Originator Service (msgsys.exe) via a crafted alert message. It achieves remote code execution by overwriting the return address and executing shellcode.

Description

Multiple stack-based buffer overflows in IAO.EXE in the Intel Alert Originator Service in Symantec Alert Management System 2 (AMS2), as used in Symantec System Center (SSS); Symantec AntiVirus Server; Symantec AntiVirus Central Quarantine Server; Symantec AntiVirus (SAV) Corporate Edition 9 before 9.0 MR7, 10.0 and 10.1 before 10.1 MR8, and 10.2 before 10.2 MR2; Symantec Client Security (SCS) 2 before 2.0 MR7 and 3 before 3.1 MR8; and Symantec Endpoint Protection (SEP) before 11.0 MR3, allow remote attackers to execute arbitrary code via (1) a crafted packet or (2) data that ostensibly arrives from the MsgSys.exe process.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16826

This exploit targets a stack buffer overflow in Symantec Alert Management System's Intel Alert Originator Service (msgsys.exe) via a crafted alert message. It achieves remote code execution by overwriting the return address and executing shellcode.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Symantec Alert Management System Intel Alert Originator Service (msgsys.exe)
No auth needed
Prerequisites: Network access to TCP port 38292 · Target system running vulnerable Symantec Alert Management System
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GOOD
by MC · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/antivirus/symantec_iao.rb

This Metasploit module exploits a stack buffer overflow in Symantec Alert Management System's Intel Alert Originator Service (msgsys.exe) via a crafted alert message. It achieves remote code execution by overwriting the return address and executing shellcode.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Symantec Alert Management System Intel Alert Originator Service (msgsys.exe)
No auth needed
Prerequisites: Network access to the target service on port 38292 · Vulnerable version of Symantec Alert Management System
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (12)

Core 12
Core References
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/1204
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1022132
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/503080/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1022130
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/34674
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/50178
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/34672
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/50177
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/34856
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1022131
Third Party Advisory x_refsource_misc
http://www.zerodayinitiative.com/advisories/ZDI-09-018/

Scores

EPSS 0.5509
EPSS Percentile 98.9%

Details

CWE
CWE-119
Status published
Products (36)
symantec/antivirus
symantec/antivirus 10.0
symantec/antivirus 10.0.1
symantec/antivirus 10.0.1.1
symantec/antivirus 10.0.2
symantec/antivirus 10.0.2.1
symantec/antivirus 10.0.2.2
symantec/antivirus 10.0.3
symantec/antivirus 10.0.4
symantec/antivirus 10.0.5
... and 26 more
Published Apr 29, 2009
Tracked Since Feb 18, 2026