CVE-2017-9640

MEDIUM

ALC WebCTRL <6.5 - Path Traversal

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-9640. PoCs published by LiquidWorm.

AI-analyzed exploit summary This PoC demonstrates a path traversal vulnerability in Automated Logic WebCTRL 6.1, allowing an authenticated user to write arbitrary files via the `manualcommand` console using the `echo` command. The exploit leverages directory traversal to create or overwrite files on the system.

Description

A Path Traversal issue was discovered in Automated Logic Corporation (ALC) ALC WebCTRL, i-Vu, SiteScan Web prior to 6.5; ALC WebCTRL, SiteScan Web 6.1 and prior; ALC WebCTRL, i-Vu 6.0 and prior; ALC WebCTRL, i-Vu, SiteScan Web 5.5 and prior; and ALC WebCTRL, i-Vu, SiteScan Web 5.2 and prior. An authenticated attacker may be able to overwrite files that are used to execute code. This vulnerability does not affect version 6.5 of the software.

Exploits (1)

exploitdb WORKING POC

by LiquidWorm · textwebappsjava

https://www.exploit-db.com/exploits/42543

View Code ZIP pw:eip

This PoC demonstrates a path traversal vulnerability in Automated Logic WebCTRL 6.1, allowing an authenticated user to write arbitrary files via the `manualcommand` console using the `echo` command. The exploit leverages directory traversal to create or overwrite files on the system.

Classification

Working Poc 95%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: Automated Logic WebCTRL 6.1 and prior

Auth required

Prerequisites: Authenticated access to the WebCTRL management panel

MITRE ATT&CK

T1006 - Direct Volume Access T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/100452

Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/42543/

Mitigation, Third Party Advisory, US Government Resource x_refsource_misc

https://ics-cert.us-cert.gov/advisories/ICSA-17-234-01

Scores

CVSS v3 6.3

EPSS 0.0845

EPSS Percentile 94.3%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Details

CWE

CWE-22

Status published

Products (4)

automatedlogic/i-vu < 5.2

automatedlogic/sitescan_web < 5.2

carrier/automatedlogic_webctrl < 5.2

n/a/Automated Logic Corporation WebCTRL, i-VU, SiteScan Automated Logic Corporation WebCTRL, i-VU, SiteScan

Published Aug 25, 2017

Tracked Since Feb 18, 2026