cbcvebase.
CVE-2011-0276
published 2011-02-02

CVE-2011-0276: HP OpenView Performance Insight Server 5.2, 5.3, 5.31, 5.4, and 5.41 contains a "hidden account" in the com.trinagy.security.XMLUserManager Java class, which…

PriorityP277critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
82.43%
99.6th percentile
HP OpenView Performance Insight Server 5.2, 5.3, 5.31, 5.4, and 5.41 contains a "hidden account" in the com.trinagy.security.XMLUserManager Java class, which allows remote attackers to execute arbitrary code via the doPost method in the com.trinagy.servlet.HelpManagerServlet class.

Affected

5 ranges
VendorProductVersion rangeFixed in
hpopenview_performance_insight
hpopenview_performance_insight
hpopenview_performance_insight
hpopenview_performance_insight
hpopenview_performance_insight

Detection & IOCsextracted from sources · hover to see the quote

otherhch908v
otherz6t0j$+i
path/help/<dir>/<page>.jsp
  • Detect HTTP POST requests to /reports/helpmanager with Basic Authentication header using the hardcoded backdoor credential 'hch908v:z6t0j$+i' (Base64: aGNoOTA4djp6NnQwaiQraQ==)
  • Detect multipart/form-data POST to /reports/helpmanager — exploitation uploads a JSP payload file to the server via HelpManagerServlet
  • After upload, attacker triggers the JSP payload via HTTP GET to /help/<random_dir>/<random>.jsp — monitor for GET requests to /help/ paths with .jsp extensions following a POST to /reports/helpmanager
  • Server fingerprinting: exploit targets servers returning 'Apache-Coyote' in HTTP response headers — scope detection to HP OpenView Performance Insight servers with this header
  • The backdoor account is hardcoded in the Java class com.trinagy.security.XMLUserManager with username 'hch908v' and encrypted password derived from 'z6t0j$+i' — alert on any authentication using this username
  • ·The Metasploit module was only validated against version 5.41.0; exploitation behavior against other affected versions (5.2, 5.3, 5.31, 5.4) may differ
  • ·The module targets Windows platforms only (Platform => 'win') with a Java architecture payload; Linux/other OS deployments may not be exploitable via this specific module
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.