CVE-2018-16156

HIGH

PaperStream IP (TWAIN) 1.42.0.5685 - Unauthenticated Local Privilege Escalation via Untrusted Search Path

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2018-16156. PoCs published by 1F98D, securifera.

AI-analyzed exploit summary This PowerShell script exploits a DLL hijacking vulnerability in Fujitsu PaperStream IP (TWAIN) by copying a malicious DLL to a writable directory in the system PATH and triggering its execution via a named pipe communication with the FJTWSVIC service.

Description

In PaperStream IP (TWAIN) 1.42.0.5685 (Service Update 7), the FJTWSVIC service running with SYSTEM privilege processes unauthenticated messages received over the FjtwMkic_Fjicube_32 named pipe. One of these message processing functions attempts to dynamically load the UninOldIS.dll library and executes an exported function named ChangeUninstallString. The default install does not contain this library and therefore if any DLL with that name exists in any directory listed in the PATH variable, it can be used to escalate to SYSTEM level privilege.

Exploits (2)

exploitdb WORKING POC VERIFIED
by 1F98D · powershelllocalwindows
https://www.exploit-db.com/exploits/49382

This PowerShell script exploits a DLL hijacking vulnerability in Fujitsu PaperStream IP (TWAIN) by copying a malicious DLL to a writable directory in the system PATH and triggering its execution via a named pipe communication with the FJTWSVIC service.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Fujitsu PaperStream IP (TWAIN) 1.42.0.5685
Auth required
Prerequisites: Local access to the target system · Writable directory in the system PATH · Malicious DLL (e.g., UninOldIS.dll) uploaded to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by securifera · poc
https://github.com/securifera/CVE-2018-16156-Exploit

This PowerShell script exploits CVE-2018-16156 by connecting to a named pipe and sending a specific string to trigger a vulnerability in the target software. It demonstrates the ability to interact with the pipe for potential privilege escalation.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Trivial
Reliability
Reliable
Target: Fujitsu Systemwalker Centric Manager (versions affected by CVE-2018-16156)
No auth needed
Prerequisites: Access to the named pipe 'FjtwMkic_Fjicube_32' on the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Third Party Advisory x_refsource_misc
https://www.securifera.com/advisories/cve-2018-16156/

Scores

CVSS v3 7.8
EPSS 0.0256
EPSS Percentile 83.0%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-426
Status published
Products (1)
fujitsu/paperstream_ip_\(twain\) 1.42.0.5685
Published May 17, 2019
Tracked Since Feb 18, 2026