cbcvebase.
CVE-2012-5201
published 2013-03-09

CVE-2012-5201: Unspecified vulnerability in HP Intelligent Management Center (iMC) and Intelligent Management Center for Automated Network Manager (ANM) before 5.2 E0401…

PriorityP278critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
63.74%
99.1th percentile
Unspecified vulnerability in HP Intelligent Management Center (iMC) and Intelligent Management Center for Automated Network Manager (ANM) before 5.2 E0401 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1611.

Affected

4 ranges
VendorProductVersion rangeFixed in
hpintelligent_management_center<= 5.1
hpintelligent_management_center
hpintelligent_management_center
hpintelligent_management_center_for_automated_network_manager<= 5.1

Detection & IOCsextracted from sources · hover to see the quote

port8080
path/imc
path/imc/login.jsf
path/imc/webdm/mibbrowser/mibFileUpload
path../../../../../../../ROOT/
filename*.jsp (randomly named JSP payload uploaded to ROOT/)
filename*.zip (randomly named ZIP containing path-traversal JSP payload)
  • Detect unauthenticated HTTP POST requests to the mibFileUpload endpoint with a multipart/form-data body containing a ZIP file — this is the core exploit delivery mechanism.
  • Alert on HTTP POST to /imc/webdm/mibbrowser/mibFileUpload with Content-Type multipart/form-data containing a .zip attachment — no authentication header or session cookie required by the application.
  • Detect ZIP archives uploaded to the mibFileUpload endpoint whose internal file paths contain directory traversal sequences (e.g., '../../../../../../../ROOT/') targeting the Tomcat ROOT web directory.
  • Alert on new .jsp files appearing under the Tomcat ROOT web directory following a POST to mibFileUpload — indicates successful path-traversal file drop and potential webshell deployment.
  • Use the Server response header 'Apache-Coyote' as a fingerprint to confirm the target is the HP iMC Tomcat instance; correlate with exploit traffic to port 8080.
  • A GET request to /imc/login.jsf returning HTTP 200 with body matching 'HP Intelligent Management Center' confirms a vulnerable target is being probed (exploit check phase).
  • ·The Metasploit module targets HP iMC 5.1 E0202 on Windows 2003 SP2 specifically; the CVE affects all versions before 5.2 E0401, so detection should not be scoped only to this version.
  • ·The JSP payload has newline characters (0x0d0a and 0x0a) stripped before embedding in the ZIP; signature-based detection of the payload content must account for this encoding transformation.
  • ·The exploit works around an incompatible MIME boundary implementation by removing a leading CRLF before the boundary marker; MIME-parsing IDS rules must handle this non-standard formatting.
  • ·The JSESSIONID cookie value sent with the upload request is a random 32-byte hex string and is not a valid session — the endpoint accepts the upload without authentication regardless of cookie value.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.