CVE-2011-10028

CVSS

No CVSS.

T

he RealNetworks RealArcade platform includes an ActiveX control (InstallerDlg.dll, version 2.6.0.445) that exposes a method named Exec via the StubbyUtil.ProcessMgr COM object. This method allows remote attackers to execute arbitrary commands on a victim's Windows machine without proper validation or restrictions. This platform was sometimes referred to or otherwise known as RealArcade or Arcade Games and has since consolidated with RealNetworks' platform, GameHouse.

References

Link	Resource
https://advisories.checkpoint.com/defense/advisories/public/2011/cpai-2011-347.html
https://archive.org/details/com.real.arcade
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/browser/real_arcade_installerdlg.rb
https://www.exploit-db.com/exploits/17105
https://www.exploit-db.com/exploits/17149
https://www.gamehouse.com/
https://www.vulncheck.com/advisories/real-networks-arcade-games-activex-arbitrary-code-execution
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/browser/real_arcade_installerdlg.rb
https://www.exploit-db.com/exploits/17105
https://www.exploit-db.com/exploits/17149

Configurations

No configuration.

History

22 Aug 2025, 18:09

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-20 16:15

Updated : 2025-08-22 18:09

NVD link : CVE-2011-10028

Mitre link : CVE-2011-10028

CVE.ORG link : CVE-2011-10028

JSON object : View

Products Affected

No product.

CWE

CWE-623

Unsafe ActiveX Control Marked Safe For Scripting

{"id": "CVE-2011-10028", "cveTags": [{"tags": ["unsupported-when-assigned"], "sourceIdentifier": "[email protected]"}], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-08-20T16:15:35.790", "references": [{"url": "https://advisories.checkpoint.com/defense/advisories/public/2011/cpai-2011-347.html", "source": "[email protected]"}, {"url": "https://archive.org/details/com.real.arcade", "source": "[email protected]"}, {"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/browser/real_arcade_installerdlg.rb", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/17105", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/17149", "source": "[email protected]"}, {"url": "https://www.gamehouse.com/", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/real-networks-arcade-games-activex-arbitrary-code-execution", "source": "[email protected]"}, {"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/browser/real_arcade_installerdlg.rb", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}, {"url": "https://www.exploit-db.com/exploits/17105", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}, {"url": "https://www.exploit-db.com/exploits/17149", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-623"}]}], "descriptions": [{"lang": "en", "value": "The RealNetworks RealArcade platform includes an ActiveX control (InstallerDlg.dll, version 2.6.0.445) that exposes a method named Exec via the StubbyUtil.ProcessMgr COM object. This method allows remote attackers to execute arbitrary commands on a victim's Windows machine without proper validation or restrictions. This platform was sometimes referred to or otherwise known as RealArcade or Arcade Games and has since consolidated with RealNetworks' platform, GameHouse."}, {"lang": "es", "value": "La plataforma RealNetworks RealArcade incluye un control ActiveX (InstallerDlg.dll, versi\u00f3n 2.6.0.445) que expone un m\u00e9todo llamado Exec mediante el objeto COM StubbyUtil.ProcessMgr. Este m\u00e9todo permite a atacantes remotos ejecutar comandos arbitrarios en el equipo Windows de la v\u00edctima sin la validaci\u00f3n ni las restricciones adecuadas. Esta plataforma se conoc\u00eda en ocasiones como RealArcade o Arcade Games y, desde entonces, se ha fusionado con la plataforma de RealNetworks, GameHouse."}], "lastModified": "2025-08-22T18:09:17.710", "sourceIdentifier": "[email protected]"}