CVE-2009-4148

DAZ Studio 2.3.3.161, 2.3.3.163, and 3.0.1.135 - Remote Code Execution via JavaScript in .ds, .dsa, .dse, or .dsb Files

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-4148. PoCs published by Core Security.

AI-analyzed exploit summary The exploit demonstrates arbitrary command execution in DAZ Studio by leveraging its scripting interface to download and execute a payload (putty.exe) via a malicious .ds file. It uses ActiveX objects to fetch and run the executable in the context of DAZ Studio.

Description

DAZ Studio 2.3.3.161, 2.3.3.163, and 3.0.1.135 allows remote attackers to execute arbitrary JavaScript code via a (1) .ds, (2) .dsa, (3) .dse, or (4) .dsb file, as demonstrated by code that loads the WScript.Shell ActiveX control, related to a "script injection vulnerability."

Exploits (1)

exploitdb WORKING POC VERIFIED
by Core Security · textlocalwindows
https://www.exploit-db.com/exploits/10295

The exploit demonstrates arbitrary command execution in DAZ Studio by leveraging its scripting interface to download and execute a payload (putty.exe) via a malicious .ds file. It uses ActiveX objects to fetch and run the executable in the context of DAZ Studio.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: DAZ Studio (versions 2.3.3.161, 2.3.3.163, 3.0.1.135, and likely older)
No auth needed
Prerequisites: User must open a malicious .ds, .dsa, .dse, or .dsb file
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/37176
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/508192/100/0/threaded

Scores

EPSS 0.0549
EPSS Percentile 91.7%

Details

CWE
CWE-94
Status published
Products (3)
daz3d/daz_studio 2.3.3.161
daz3d/daz_studio 2.3.3.163
daz3d/daz_studio 3.0.1.135
Published Dec 04, 2009
Tracked Since Feb 18, 2026