cbcvebase.
CVE-2013-3576
published 2013-06-14

CVE-2013-3576: ginkgosnmp.inc in HP System Management Homepage (SMH) allows remote authenticated users to execute arbitrary commands via shell metacharacters in the PATH_INFO…

PriorityP272critical9CVSS 2.0
AVNACLAuSCCICAC
EXPLOIT
EPSS
66.59%
99.2th percentile
ginkgosnmp.inc in HP System Management Homepage (SMH) allows remote authenticated users to execute arbitrary commands via shell metacharacters in the PATH_INFO to smhutil/snmpchp.php.en.

Detection & IOCsextracted from sources · hover to see the quote

url/smhutil/snmpchp.php.en
pathsmhutil/snmpchp/
url/proxy/ssllogin
port2381
cookieCompaq-HMMD=
pathC:\hp\hpsmh\data\htdocs\smhutil
  • Detect command injection attempts via shell metacharacters (e.g., `&&`) injected into the PATH_INFO of requests to smhutil/snmpchp.php.en or smhutil/snmpchp/
  • Alert on HTTP requests to smhutil/snmpchp/ containing `&&` or other shell metacharacters in the URI path, indicative of command injection exploitation
  • Monitor for the response body containing 'SNMP data engine output' alongside unexpected command output, which the exploit uses to confirm vulnerability
  • Monitor for POST requests to /proxy/ssllogin followed immediately by requests to smhutil/snmpchp/ with shell metacharacters, indicating authenticated exploitation flow
  • Inspect for the CpqElm-Login: success response header during login, which precedes exploitation and is used by the attacker to confirm valid credentials
  • The exploit uses tftp for payload staging on Windows; monitor for tftp.exe execution spawned from the HP SMH process context (e.g., under SYSTEM)
  • The exploit drops and executes payloads in C:\hp\hpsmh\data\htdocs\smhutil; monitor for unexpected file creation or process execution in this directory
  • ·Anonymous (unauthenticated) access may be possible; authentication is not strictly required for exploitation, meaning network-level controls alone may not prevent the attack
  • ·The exploit targets Windows platforms only and requires tftp to be enabled on the victim; Windows XP and Server 2003 have tftp enabled by default, making them higher-risk targets
  • ·The exploit uses SSL (HTTPS) by default on port 2381; detection rules must account for TLS-encrypted traffic and inspect after decryption
  • ·Exploitation results in code execution under the SYSTEM context, meaning any process or file activity from the HP SMH service should be treated as high severity
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.