CVE-2011-4535

TurboPower Abbrevia < 3.05 - Buffer Overflow via Crafted ZIP File

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2011-4535. PoCs published by Metasploit, mr_me, including Metasploit module exploits/windows/fileformat/scadaphone_zip.

AI-analyzed exploit summary This exploit targets a stack-based buffer overflow in ScadaTEC ScadaPhone v5.3.11.1230 by crafting a malicious ZIP file. The payload is executed when the victim loads the file, leveraging an egghunter and SEH overwrite for reliable exploitation.

Description

Buffer overflow in TurboPower Abbrevia before 4.0, as used in ScadaTEC ScadaPhone 5.3.11.1230 and earlier, ScadaTEC ModbusTagServer 4.1.1.81 and earlier, and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted ZIP file.

Exploits (3)

exploitdb WORKING POC VERIFIED

by Metasploit · rubylocalwindows

https://www.exploit-db.com/exploits/17833

View Code ZIP pw:eip

This exploit targets a stack-based buffer overflow in ScadaTEC ScadaPhone v5.3.11.1230 by crafting a malicious ZIP file. The payload is executed when the victim loads the file, leveraging an egghunter and SEH overwrite for reliable exploitation.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: ScadaTEC ScadaPhone <= v5.3.11.1230

No auth needed

Prerequisites: Victim must open the malicious ZIP file in ScadaPhone

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by mr_me · phplocalwindows

https://www.exploit-db.com/exploits/17817

View Code ZIP pw:eip

This exploit leverages a buffer overflow vulnerability in ScadaTEC ModbusTagServer and ScadaPhone to execute arbitrary code via a maliciously crafted ZIP file. It includes ROP chains and shellcode to bypass DEP on Windows XP SP3 for ScadaPhone and a direct SEH overwrite for ModbusTagServer.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: ScadaTEC ModbusTagServer <= 4.1.1.81, ScadaTEC ScadaPhone <= 5.3.11.1230

No auth needed

Prerequisites: Victim must load a malicious ZIP project file

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC GOOD

rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/scadaphone_zip.rb

View Code ZIP pw:eip

This Metasploit module exploits a stack-based buffer overflow in ScadaTEC ScadaPhone 5.3.11.1230 via a maliciously crafted ZIP file. It uses an egghunter and SEH overwrite to achieve arbitrary code execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: ScadaTEC ScadaPhone 5.3.11.1230

No auth needed

Prerequisites: Victim must open the malicious ZIP file in ScadaPhone

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

US Government Resource x_refsource_misc

http://www.us-cert.gov/control_systems/pdf/ICSA-11-362-01.pdf

Patch x_refsource_misc

http://sourceforge.net/projects/tpabbrevia/files/Abbrevia%204.0.zip/download

Scores

EPSS 0.2700

EPSS Percentile 97.8%

Details

CWE

CWE-119

Status published

Products (3)

craig_peterson/turbopower_abbrevia < 3.05

scadatec/modbustagserver < 4.1.1.81

scadatec/scadaphone < 5.3.11.1230

Published Apr 03, 2012

Tracked Since Feb 18, 2026