cbcvebase.
CVE-2013-3623
published 2013-12-10

CVE-2013-3623: Multiple stack-based buffer overflows in cgi/close_window.cgi in the web interface in the Intelligent Platform Management Interface (IPMI) with firmware before…

PriorityP278critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
71.93%
99.4th percentile
Multiple stack-based buffer overflows in cgi/close_window.cgi in the web interface in the Intelligent Platform Management Interface (IPMI) with firmware before 3.15 (SMT_X9_315) on Supermicro X9 generation motherboards allow remote attackers to execute arbitrary code via the (1) sess_sid or (2) ACT parameter.

Affected

2 ranges
VendorProductVersion rangeFixed in
supermicrointelligent_platform_management_firmware<= 2.26
supermicrointelligent_platform_management_firmware

Detection & IOCsextracted from sources · hover to see the quote

path/cgi/close_window.cgi
url/cgi/close_window.cgi
commandPOST /cgi/close_window.cgi with oversized sess_sid parameter (132+ bytes triggers 500 response)
  • Exploit payload is delivered via the HTTP User-Agent header; monitor for anomalously long or binary-containing User-Agent strings in POST requests to /cgi/close_window.cgi on IPMI management interfaces (port 80/443).
  • A POST to /cgi/close_window.cgi with a safe-length sess_sid (20 bytes) returns HTTP 200 with body containing 'Can't find action' on vulnerable targets — use this two-stage probe pattern to fingerprint vulnerable IPMI controllers.
  • The exploit uses a ret2system ROP chain targeting libcrypto.so.0.9.8 base 0x40074000 and libc-2.3.5.so base 0x40554000 on ARM; presence of these fixed base addresses in memory forensics or crash dumps indicates exploitation of this specific firmware version.
  • Scan for Supermicro IPMI controllers exposing /cgi/close_window.cgi and /cgi/login.cgi unauthenticated on HTTP/HTTPS; both endpoints are known vulnerable to unauthenticated buffer overflows.
  • The exploit payload bad characters are 0x00–0x1f; any POST body or User-Agent to /cgi/close_window.cgi containing a long string of printable ASCII (no control chars) followed by ARM ROP gadget bytes is a strong exploit indicator.
  • ·The ROP gadget offsets and libc/libcrypto base addresses are specific to firmware version SMT_X9_214 (X9SCL/X9SCM); the exploit will not work as-is against firmware SMT_X9_315 or other X9 variants without re-deriving offsets.
  • ·An additional environment variable 'HTTPS=on' is present when SSL is in use, shifting the ROP offset by 4 bytes (204 vs 208); detection rules based on payload length must account for both SSL and non-SSL variants.
  • ·Firmware version 3.15 (SMT_X9_315) and later patches the vulnerability; devices running earlier firmware on X9 generation motherboards remain vulnerable.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.