CVE-2014-0780 - Vulnerability Details - OpenCVE

Directory traversal vulnerability in NTWebServer in InduSoft Web Studio 7.1 before SP2 Patch 4 allows remote attackers to read administrative passwords in APP files, and consequently execute arbitrary code, via unspecified web requests.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is in the KEV database since April 15, 2022.

Exploitation active

Automatable yes

Technical Impact total

Vendors	Products
Indusoft	Web Studio

Configuration 1 [-]

OR	cpe:2.3:a:indusoft:web_studio:7.1:-::::::
	cpe:2.3:a:indusoft:web_studio:7.1:sp1::::::
	cpe:2.3:a:indusoft:web_studio:7.1:sp2::::::

No data.

References

Link	Providers
http://download.indusoft.com/71.2.4/IWS71.2.4.zip
http://ics-cert.us-cert.gov/advisories/ICSA-14-107-02
http://www.securityfocus.com/bid/67056
https://www.cisa.gov/news-events/ics-advisories/icsa-14-107-02
https://www.exploit-db.com/exploits/42699/

History

Thu, 25 Sep 2025 17:30:00 +0000

Type	Values Removed	Values Added
Title		InduSoft Web Studio Path Traversal
References		http://download.indusoft.com/71.2.4/IWS71.2.4.zip https://www.cisa.gov/news-events/ics-advisories/icsa-14-107-02

Fri, 07 Feb 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		kev `{'dateAdded': '2022-04-15'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2014-04-25T01:00:00.000Z

Updated: 2025-09-25T17:16:50.255Z

Reserved: 2014-01-02T00:00:00.000Z

Link: CVE-2014-0780

Vulnrichment

Updated: 2024-08-06T09:27:19.473Z

NVD

Status : Deferred

Published: 2014-04-25T05:12:07.787

Modified: 2025-09-25T18:15:33.943

Link: CVE-2014-0780

Redhat

No data.

{"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Web Studio", "vendor": "InduSoft", "versions": [{"status": "affected", "version": "7.1"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Zero Day Initiative (ZDI)"}], "datePublic": "2014-04-24T00:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Directory traversal vulnerability in NTWebServer in InduSoft Web Studio 7.1 before SP2 Patch 4 allows remote attackers to read administrative passwords in APP files, and consequently execute arbitrary code, via unspecified web requests.</p>"}], "value": "Directory traversal vulnerability in NTWebServer in InduSoft Web Studio 7.1 before SP2 Patch 4 allows remote attackers to read administrative passwords in APP files, and consequently execute arbitrary code, via unspecified web requests."}], "metrics": [{"cvssV2_0": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2025-09-25T17:16:50.255Z"}, "references": [{"name": "42699", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/42699/"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-14-107-02"}, {"name": "67056", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/67056"}, {"url": "http://download.indusoft.com/71.2.4/IWS71.2.4.zip"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>InduSoft did not intend for this web server to be used in real applications. It was provided as demonstration/training software (as stated in user manuals). They have created a mitigation for this vulnerability in InduSoft Web Studio v7.1+Service Pack 2+ Patch 4. Users may obtain this patch at the following location (you must be logged into your InduSoft account): <a target=\"_blank\" rel=\"nofollow\" href=\"http://download.indusoft.com/71.2.4/IWS71.2.4.zip\">http://download.indusoft.com/71.2.4/IWS71.2.4.zip</a></p><p>InduSoft technical support can be contacted at: <a target=\"_blank\" rel=\"nofollow\">[email protected]</a> .</p>\n\n<br>"}], "value": "InduSoft did not intend for this web server to be used in real applications. It was provided as demonstration/training software (as stated in user manuals). They have created a mitigation for this vulnerability in InduSoft Web Studio v7.1+Service Pack 2+ Patch 4. Users may obtain this patch at the following location (you must be logged into your InduSoft account):\u00a0 http://download.indusoft.com/71.2.4/IWS71.2.4.zip \n\nInduSoft technical support can be contacted at:\[email protected]\u00a0."}], "source": {"advisory": "ICSA-14-107-02", "discovery": "EXTERNAL"}, "title": "InduSoft Web Studio Path Traversal", "x_generator": {"engine": "Vulnogram 0.2.0"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "[email protected]", "ID": "CVE-2014-0780", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Directory traversal vulnerability in NTWebServer in InduSoft Web Studio 7.1 before SP2 Patch 4 allows remote attackers to read administrative passwords in APP files, and consequently execute arbitrary code, via unspecified web requests."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "42699", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/42699/"}, {"name": "http://ics-cert.us-cert.gov/advisories/ICSA-14-107-02", "refsource": "MISC", "url": "http://ics-cert.us-cert.gov/advisories/ICSA-14-107-02"}, {"name": "67056", "refsource": "BID", "url": "http://www.securityfocus.com/bid/67056"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T09:27:19.473Z"}, "title": "CVE Program Container", "references": [{"name": "42699", "tags": ["exploit", "x_refsource_EXPLOIT-DB", "x_transferred"], "url": "https://www.exploit-db.com/exploits/42699/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://ics-cert.us-cert.gov/advisories/ICSA-14-107-02"}, {"name": "67056", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/67056"}]}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2014-0780", "role": "CISA Coordinator", "options": [{"Exploitation": "active"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-02-07T13:47:17.851913Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2022-04-15", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2014-0780"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "timeline": [{"time": "2022-04-15T00:00:00+00:00", "lang": "en", "value": "CVE-2014-0780 added to CISA KEV"}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-30T01:46:51.405Z"}}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2014-0780", "datePublished": "2014-04-25T01:00:00.000Z", "dateReserved": "2014-01-02T00:00:00.000Z", "dateUpdated": "2025-09-25T17:16:50.255Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.exploit-db.com/exploits/42699/", "name": "42699", "tags": ["exploit", "x_refsource_EXPLOIT-DB", "x_transferred"]}, {"url": "http://ics-cert.us-cert.gov/advisories/ICSA-14-107-02", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "http://www.securityfocus.com/bid/67056", "name": "67056", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T09:27:19.473Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2014-0780", "role": "CISA Coordinator", "options": [{"Exploitation": "active"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-02-07T13:47:17.851913Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2022-04-15", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2014-0780"}}}], "timeline": [{"lang": "en", "time": "2022-04-15T00:00:00+00:00", "value": "CVE-2014-0780 added to CISA KEV"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-07T13:47:21.388Z"}}], "cna": {"title": "InduSoft Web Studio Path Traversal", "source": {"advisory": "ICSA-14-107-02", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Zero Day Initiative (ZDI)"}], "metrics": [{"format": "CVSS", "cvssV2_0": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "InduSoft", "product": "Web Studio", "versions": [{"status": "affected", "version": "7.1"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "InduSoft did not intend for this web server to be used in real applications. It was provided as demonstration/training software (as stated in user manuals). They have created a mitigation for this vulnerability in InduSoft Web Studio v7.1+Service Pack 2+ Patch 4. Users may obtain this patch at the following location (you must be logged into your InduSoft account):\u00a0 http://download.indusoft.com/71.2.4/IWS71.2.4.zip \n\nInduSoft technical support can be contacted at:\[email protected]\u00a0.", "supportingMedia": [{"type": "text/html", "value": "<p>InduSoft did not intend for this web server to be used in real applications. It was provided as demonstration/training software (as stated in user manuals). They have created a mitigation for this vulnerability in InduSoft Web Studio v7.1+Service Pack 2+ Patch 4. Users may obtain this patch at the following location (you must be logged into your InduSoft account): <a target=\"_blank\" rel=\"nofollow\" href=\"http://download.indusoft.com/71.2.4/IWS71.2.4.zip\">http://download.indusoft.com/71.2.4/IWS71.2.4.zip</a></p><p>InduSoft technical support can be contacted at: <a target=\"_blank\" rel=\"nofollow\">[email protected]</a> .</p>\n\n<br>", "base64": false}]}], "datePublic": "2014-04-24T00:00:00.000Z", "references": [{"url": "https://www.exploit-db.com/exploits/42699/", "name": "42699", "tags": ["exploit", "x_refsource_EXPLOIT-DB"]}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-14-107-02"}, {"url": "http://www.securityfocus.com/bid/67056", "name": "67056", "tags": ["vdb-entry", "x_refsource_BID"]}, {"url": "http://download.indusoft.com/71.2.4/IWS71.2.4.zip"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Directory traversal vulnerability in NTWebServer in InduSoft Web Studio 7.1 before SP2 Patch 4 allows remote attackers to read administrative passwords in APP files, and consequently execute arbitrary code, via unspecified web requests.", "supportingMedia": [{"type": "text/html", "value": "<p>Directory traversal vulnerability in NTWebServer in InduSoft Web Studio 7.1 before SP2 Patch 4 allows remote attackers to read administrative passwords in APP files, and consequently execute arbitrary code, via unspecified web requests.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2025-09-25T17:16:50.255Z"}, "x_legacyV4Record": {"affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "n/a"}]}, "product_name": "n/a"}]}, "vendor_name": "n/a"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "https://www.exploit-db.com/exploits/42699/", "name": "42699", "refsource": "EXPLOIT-DB"}, {"url": "http://ics-cert.us-cert.gov/advisories/ICSA-14-107-02", "name": "http://ics-cert.us-cert.gov/advisories/ICSA-14-107-02", "refsource": "MISC"}, {"url": "http://www.securityfocus.com/bid/67056", "name": "67056", "refsource": "BID"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "Directory traversal vulnerability in NTWebServer in InduSoft Web Studio 7.1 before SP2 Patch 4 allows remote attackers to read administrative passwords in APP files, and consequently execute arbitrary code, via unspecified web requests."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2014-0780", "STATE": "PUBLIC", "ASSIGNER": "[email protected]"}}}}, "cveMetadata": {"cveId": "CVE-2014-0780", "state": "PUBLISHED", "dateUpdated": "2025-09-25T17:16:50.255Z", "dateReserved": "2014-01-02T00:00:00.000Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2014-04-25T01:00:00.000Z", "assignerShortName": "icscert"}, "dataVersion": "5.1"}

{"cisaActionDue": "2022-05-06", "cisaExploitAdd": "2022-04-15", "cisaRequiredAction": "Apply updates per vendor instructions.", "cisaVulnerabilityName": "InduSoft Web Studio NTWebServer Directory Traversal Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:indusoft:web_studio:7.1:-:*:*:*:*:*:*", "matchCriteriaId": "0E1F4D9E-CB8B-415C-B040-0460E529DD38", "vulnerable": true}, {"criteria": "cpe:2.3:a:indusoft:web_studio:7.1:sp1:*:*:*:*:*:*", "matchCriteriaId": "15896AF9-B4C0-42B5-AE78-AB05B629D9C4", "vulnerable": true}, {"criteria": "cpe:2.3:a:indusoft:web_studio:7.1:sp2:*:*:*:*:*:*", "matchCriteriaId": "446AC1D0-4F70-42C1-9083-E859F23E1357", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Directory traversal vulnerability in NTWebServer in InduSoft Web Studio 7.1 before SP2 Patch 4 allows remote attackers to read administrative passwords in APP files, and consequently execute arbitrary code, via unspecified web requests."}, {"lang": "es", "value": "Vulnerabilidad de salto de directorio en NTWebServer en InduSoft Web Studio 7.1 anterior a SP2 Patch 4 permite a a atacantes remotos leer contrase\u00f1as de autenticaci\u00f3n en archivos APP, y como consecuencia ejecutar c\u00f3digo arbitrario, a trav\u00e9s de solicitudes web no especificados."}], "id": "CVE-2014-0780", "lastModified": "2025-09-25T18:15:33.943", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "[email protected]", "type": "Secondary", "userInteractionRequired": false}, {"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "[email protected]", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "[email protected]", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2014-04-25T05:12:07.787", "references": [{"source": "[email protected]", "url": "http://download.indusoft.com/71.2.4/IWS71.2.4.zip"}, {"source": "[email protected]", "tags": ["Broken Link", "Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/67056"}, {"source": "[email protected]", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-14-107-02"}, {"source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/42699/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory", "US Government Resource"], "url": "http://ics-cert.us-cert.gov/advisories/ICSA-14-107-02"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link", "Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/67056"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/42699/"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "[email protected]", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "[email protected]", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}