cbcvebase.
CVE-2013-4786
published 2013-07-08

CVE-2013-4786: The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes…

PriorityP186high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEVRansomware
Exploited in the wild
EPSS
81.80%
99.6th percentile
The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC.

Affected

2 ranges
VendorProductVersion rangeFixed in
intelintelligent_platform_management_interface
oraclefujitsu_m10_firmware<= 2290

Detection & IOCsextracted from sources · hover to see the quote

port623/udp (RMCP+/IPMI)
commandipmitool -I lanplus -v -v -v -v -U <user> -P <pass> -H <target> chassis identify
  • Detect RAKP hash harvesting by monitoring for RMCP+ open session requests (IPMI 2.0) on UDP 623 from unexpected or external sources — the attacker only needs to reach the BMC to extract the HMAC-SHA1 hash without valid credentials.
  • Alert on RAKP Message 2 responses leaving the BMC network segment; the HMAC in the response is sufficient for offline cracking (hashcat type 7300 or hmac_sha1_crack.rb).
  • Flag IPMI traffic where the RMCP+ status response contains 'unauthorized name' or 'insufficient resources for session', indicating active RAKP-based user enumeration.
  • Monitor for use of default IPMI usernames (admin, ADMIN, USERID, root, Administrator) in RAKP authentication attempts against BMC devices.
  • Detect Metasploit's ipmi_dumphashes scanner module activity by correlating rapid sequential RMCP+ session open requests to UDP/623 from a single source IP against multiple BMC targets.
  • ·This is a protocol-level flaw in the IPMI 2.0 specification itself, not a software bug — BMC firmware must be updated or IPMI access restricted at the network level, as software packages (OpenIPMI, freeipmi) are not the source of the vulnerable RAKP Message 2.
  • ·Red Hat Enterprise Linux 5, 6, and 7 versions of OpenIPMI and freeipmi are confirmed not affected, so detection focus should be on BMC hardware firmware and network-level exposure rather than OS-level packages.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:C/I:N/A:N
vulncheck7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.