CVE-2015-0925

iPass Open Mobile < 2.4.4 - Authenticated Remote Code Execution via DLL Pathname in Unicode String

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2015-0925. PoCs published by Metasploit, Matthias Kaiser, h0ng10, including Metasploit module exploits/windows/smb/ipass_pipe_exec.

AI-analyzed exploit summary This Metasploit module exploits CVE-2015-0925 in the IPass Client service by abusing a named pipe to force the service to load a DLL from an SMB share, achieving remote command execution.

Description

The client in iPass Open Mobile before 2.4.5 on Windows allows remote authenticated users to execute arbitrary code via a DLL pathname in a crafted Unicode string that is improperly handled by a subprocess reached through a named pipe, as demonstrated by a UNC share pathname.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/36412

This Metasploit module exploits CVE-2015-0925 in the IPass Client service by abusing a named pipe to force the service to load a DLL from an SMB share, achieving remote command execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: IPass Client service
Auth required
Prerequisites: SMB access · Valid credentials · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Matthias Kaiser · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/ipass_pipe_exec.rb

This Metasploit module exploits a vulnerability in the IPass Client service by abusing a named pipe to force the service to load a DLL from an SMB share, achieving remote command execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: IPass Client service
Auth required
Prerequisites: Access to the named pipe with BUILTIN\Users group privileges · SMB share to host the malicious DLL
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by h0ng10 · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/ipass_launch_app.rb

This Metasploit module exploits a privilege escalation vulnerability in the iPass Mobile Client Service by interacting with the named pipe '\\.\pipe\IPEFSYSPCPIPE' to execute arbitrary commands as SYSTEM via the 'LaunchAppSysMode' command.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: iPass Mobile Client Service (iPlatformService)
No auth needed
Prerequisites: Access to a vulnerable iPass Mobile Client Service installation · Named pipe '\\.\pipe\IPEFSYSPCPIPE' must be accessible
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1
Core References
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/110652

Scores

EPSS 0.5212
EPSS Percentile 98.8%

Details

CWE
CWE-94
Status published
Products (1)
ipass/ipass_open_mobile < 2.4.4
Published Jan 22, 2015
Tracked Since Feb 18, 2026