cbcvebase.
CVE-2013-4822
published 2013-10-13

CVE-2013-4822: Unspecified vulnerability in HP Intelligent Management Center (iMC) and HP IMC Branch Intelligent Management System Software Module (aka BIMS) allows remote…

PriorityP275critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
62.62%
99.1th percentile
Unspecified vulnerability in HP Intelligent Management Center (iMC) and HP IMC Branch Intelligent Management System Software Module (aka BIMS) allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1606.

Affected

6 ranges
VendorProductVersion rangeFixed in
hpimc_branch_intelligent_management_system_software_module
hpimc_branch_intelligent_management_system_software_module
hpimc_branch_intelligent_management_system_software_module
hpintelligent_management_center
hpintelligent_management_center
hpintelligent_management_center

Detection & IOCsextracted from sources · hover to see the quote

port8080
url/upload/upload
pathWEB-INF/web.xml
path..\web\apps\upload\
othercom.h3c.imc.bims.acs.server.UploadServlet
  • Detect HTTP GET to /upload/upload with a 'fileName' parameter containing path traversal sequences (e.g. WEB-INF/web.xml) — this is the check/probe request used to fingerprint the vulnerable UploadServlet.
  • Detect HTTP PUT to /upload/upload with a 'fileName' parameter ending in .jsp — this is the payload upload step of the exploit.
  • A vulnerable server responds to the GET probe with HTTP 200, Content-Type: application/doc, and body containing 'com.h3c.imc.bims.acs.server.UploadServlet'. Use this response signature for detection.
  • Target server banner contains 'Apache-Coyote'; use this in conjunction with the /upload/upload endpoint to narrow detection scope to HP iMC BIMS instances.
  • After upload, the attacker executes the dropped JSP via HTTP GET to /upload/<random_alphanumeric>.jsp on port 8080. Monitor for GET requests to /upload/*.jsp as a post-exploitation indicator.
  • ·The exploit targets HP iMC BIMS versions 5.1 E0201 through 5.2 E0401 on Windows only; the directory traversal payload path (..\web\apps\upload\) is Windows-specific and will not apply to non-Windows deployments.
  • ·The module uses ARCH_JAVA payloads; the uploaded JSP payload must not contain bare CR/LF sequences or it will be corrupted by the vulnerable application.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.