CVE-2013-2827

WellinTech KingSCADA < 3.1.2 Remote Code Execution via ActiveX ProjectURL Property

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2013-2827. PoCs published by Metasploit, Andrea Micalizzi, juan vazquez, including Metasploit module exploits/windows/browser/wellintech_kingscada_kxclientdownload.

AI-analyzed exploit summary This Metasploit module exploits CVE-2013-2827 in KingScada's kxClientDownload.ocx ActiveX control by abusing the ProjectURL property to download and execute arbitrary DLLs, leading to remote code execution. It requires the target to have Protected Mode disabled.

Description

An unspecified ActiveX control in WellinTech KingSCADA before 3.1.2, KingAlarm&Event before 3.1, and KingGraphic before 3.1.2 allows remote attackers to download arbitrary DLL code onto a client machine and execute this code via the ProjectURL property value.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/31575

This Metasploit module exploits CVE-2013-2827 in KingScada's kxClientDownload.ocx ActiveX control by abusing the ProjectURL property to download and execute arbitrary DLLs, leading to remote code execution. It requires the target to have Protected Mode disabled.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WellingTech KingScada (kxClientDownload.ocx ActiveX control)
No auth needed
Prerequisites: Target must have Protected Mode disabled · Target must use Internet Explorer or KXCLIE browser · Target must access a malicious webpage hosting the exploit
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GOOD
by Andrea Micalizzi, juan vazquez · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/wellintech_kingscada_kxclientdownload.rb

This Metasploit module exploits an ActiveX control vulnerability in WellingTech KingScada, where the 'ProjectURL' property of 'kxClientDownload.ocx' can be abused to download and execute arbitrary DLLs via LoadLibrary, leading to remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WellingTech KingScada (kxClientDownload.ocx ActiveX control)
No auth needed
Prerequisites: Target must have the vulnerable ActiveX control installed · Protected Mode must be disabled or not present · Target must visit a malicious webpage or open a malicious HTML file
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1
Core References
Patch, US Government Resource x_refsource_misc
http://ics-cert.us-cert.gov/advisories/ICSA-13-344-01

Scores

EPSS 0.4924
EPSS Percentile 98.7%

Details

CWE
CWE-94
Status published
Products (3)
wellintech/kingalarm\&event < 2.0.2
wellintech/kinggraphic < 3.1
wellintech/kingscada < 3.1
Published Jan 15, 2014
Tracked Since Feb 18, 2026