CVE-2012-0439

Novell GroupWise <8.0.3-2012.SP1 - RCE

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2012-0439. PoCs published by Metasploit, including Metasploit module exploits/windows/browser/novell_groupwise_gwcls1_actvx.

AI-analyzed exploit summary This Metasploit module exploits a memory corruption vulnerability in Novell GroupWise Client's gwcls1.dll ActiveX control, allowing arbitrary code execution via heap spraying and ROP chains. It targets multiple IE versions on Windows XP, Vista, and 7.

Description

An ActiveX control in gwcls1.dll in the client in Novell GroupWise 8.0 before 8.0.3 HP2 and 2012 before SP1 HP1 allows remote attackers to execute arbitrary code via (1) a pointer argument to the SetEngine method or (2) an XPItem pointer argument to an unspecified method.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotewindows

https://www.exploit-db.com/exploits/24490

View Code ZIP pw:eip

This Metasploit module exploits a memory corruption vulnerability in Novell GroupWise Client's gwcls1.dll ActiveX control, allowing arbitrary code execution via heap spraying and ROP chains. It targets multiple IE versions on Windows XP, Vista, and 7.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Novell GroupWise Client 2012 (gwcls1.dll 12.0.0.8586)

No auth needed

Prerequisites: Target must use IE 6-9 on Windows XP/Vista/7 · JRE6 installed for ASLR bypass on some targets

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC NORMAL

rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/novell_groupwise_gwcls1_actvx.rb

View Code ZIP pw:eip

This Metasploit module exploits a memory corruption vulnerability in Novell GroupWise Client's gwcls1.dll ActiveX control, allowing arbitrary code execution via crafted method calls. It uses heap spraying and ROP chains for ASLR bypass, targeting multiple IE versions on Windows XP, Vista, and 7.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Novell GroupWise Client 2012 (gwcls1.dll 12.0.0.8586)

No auth needed

Prerequisites: Victim must visit a malicious webpage · Java Runtime Environment (JRE) 6 for ASLR bypass on newer systems

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (4)

Core 4

Core References

Third Party Advisory x_refsource_misc

http://www.zerodayinitiative.com/advisories/ZDI-13-008/

Issue Tracking x_refsource_confirm

https://bugzilla.novell.com/show_bug.cgi?id=743674

Issue Tracking x_refsource_confirm

https://bugzilla.novell.com/show_bug.cgi?id=712144

Vendor Advisory x_refsource_confirm

http://www.novell.com/support/kb/doc.php?id=7011688

Scores

EPSS 0.3918

EPSS Percentile 98.4%

Details

CWE

CWE-94

Status published

Products (6)

novell/groupwise 8.0

novell/groupwise 8.00 hp1 (3 CPE variants)

novell/groupwise 8.01 (2 CPE variants)

novell/groupwise 8.02 (4 CPE variants)

novell/groupwise 8.03 (2 CPE variants)

novell/groupwise 2012 (2 CPE variants)

Published Feb 24, 2013

Tracked Since Feb 18, 2026