Description
HDNLRSVC.EXE in the Intel Alert Handler service (aka Symantec Intel Handler service) in Intel Alert Management System (aka AMS or AMS2), as used in Symantec AntiVirus Corporate Edition (SAVCE) 10.x before 10.1 MR10, Symantec System Center (SSC) 10.x, and Symantec Quarantine Server 3.5 and 3.6, allows remote attackers to execute arbitrary programs by sending msgsys.exe a UNC share pathname, which is used directly in a CreateProcessA (aka CreateProcess) call.
Exploits (1)
metasploit
WORKING POC
EXCELLENT
by MC · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/antivirus/ams_hndlrsvc.rb
References (9)
Scores
EPSS
0.6059
EPSS Percentile
98.3%
Details
CWE
CWE-20
Status
published
Products (30)
symantec/antivirus
10.0 (3 CPE variants)
symantec/antivirus
10.0.1
symantec/antivirus
10.0.1.1
symantec/antivirus
10.0.1.2
symantec/antivirus
10.0.2
symantec/antivirus
10.0.2.1
symantec/antivirus
10.0.2.2
symantec/antivirus
10.0.3
symantec/antivirus
10.0.4
symantec/antivirus
10.0.5
... and 20 more
Published
Jan 31, 2011
Tracked Since
Feb 18, 2026