cbcvebase.
CVE-2013-4812
published 2013-09-16

CVE-2013-4812: UpdateCertificatesServlet in the SNAC registration server in HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, and Identity Driven Manager (IDM) 4.0…

PriorityP274critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
51.90%
98.8th percentile
UpdateCertificatesServlet in the SNAC registration server in HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, and Identity Driven Manager (IDM) 4.0 does not properly validate the fileName argument, which allows remote attackers to upload .jsp files and consequently execute arbitrary code via unspecified vectors, aka ZDI-CAN-1743.

Affected

3 ranges
VendorProductVersion rangeFixed in
hpidentity_driven_manager
hpprocurve_manager
hpprocurve_manager

Detection & IOCsextracted from sources · hover to see the quote

url/RegWeb/RegWeb/UpdateCertificatesServlet
url/RegWeb/RegWeb/GetCertificateStatusServlet
url/RegWeb/html/snac/index.html
port443
filename*.jsp (random 8-16 alphanumeric chars + .jsp extension)
path\../<filename>.jsp
url/RegWeb/<jsp_name>
  • Detect multipart POST requests to /RegWeb/RegWeb/UpdateCertificatesServlet containing a filename parameter with path traversal sequence (e.g., '\../' or '../') and a .jsp extension, indicating an attempted malicious file upload.
  • Monitor for multipart form-data POST requests to /RegWeb/RegWeb/UpdateCertificatesServlet with form fields 'importFile', 'importPasswd', 'cert_data', and 'cert_action=importCertificate', which match the exploit's upload structure.
  • Alert on HTTP GET requests to /RegWeb/*.jsp following a POST to /RegWeb/RegWeb/UpdateCertificatesServlet from the same source IP, indicating payload execution after upload.
  • Fingerprint exploit traffic by checking for the Apache-Coyote server banner, which the Metasploit module uses to identify the target.
  • Check responses from /RegWeb/RegWeb/GetCertificateStatusServlet for the JSON field '"success":"true"' as an indicator of active reconnaissance/check phase of the exploit.
  • A server response body containing 'Certificate import fails' after a POST to UpdateCertificatesServlet paradoxically indicates a successful file upload by the exploit module.
  • ·The exploit requires SSL (HTTPS on port 443); detection rules must inspect TLS-decrypted traffic to be effective.
  • ·Binary writes are not allowed by the vulnerable servlet; the exploit payload is Java-based (ARCH_JAVA) delivered as a JSP file, not a native binary.
  • ·Authentication bypass is part of the attack chain; the exploit first obtains a session cookie from /RegWeb/html/snac/index.html without credentials before uploading the payload.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.