cbcvebase.
CVE-2014-8272
published 2014-12-19

CVE-2014-8272: The IPMI 1.5 functionality in Dell iDRAC6 modular before 3.65, iDRAC6 monolithic before 1.98, and iDRAC7 before 1.57.57 does not properly select session ID…

PriorityP350medium5CVSS 2.0
AVNACLAuNCNIPAN
EXPLOIT
EPSS
21.15%
97.3th percentile
The IPMI 1.5 functionality in Dell iDRAC6 modular before 3.65, iDRAC6 monolithic before 1.98, and iDRAC7 before 1.57.57 does not properly select session ID values, which makes it easier for remote attackers to execute arbitrary commands via a brute-force attack.

Affected

4 ranges
VendorProductVersion rangeFixed in
dellidrac6_modular<= 3.60
dellidrac6_monolithic<= 1.97
dellidrac7<= 1.56.55
intelipmi

Detection & IOCsextracted from sources · hover to see the quote

port623/UDP
  • Exploit iterates up to 0x80 (128) session setup attempts in a tight loop with only 0.5s sleep between successes; high-frequency IPMI session open/close bursts from one source to UDP/623 are a strong indicator.
  • After hijacking a session, the exploit issues privileged IPMI commands including SetUserAccess, SetUserName, and SetUserPassword (netfn=0x06, cmds 0x43–0x47) to create or escalate accounts; monitor for these commands in authenticated IPMI sessions.
  • RMCP header magic bytes for IPMI v1.5 packets: first byte 0x06 (RMCP version), fourth byte 0x07 (IPMI class); use as a byte-level filter on UDP/623 traffic to scope IPMI session traffic for further analysis.
  • ·Exploit only works if IPMI v1.5 is enabled on the iDRAC; the BMC will not respond to IPMI v1.5 session setup if the firmware has disabled it, making it not vulnerable.
  • ·Affected products are Dell iDRAC6 modular before 3.65, iDRAC6 monolithic before 1.98, and iDRAC7 before 1.57.57; versions at or above these thresholds are patched.
  • ·The exploit uses MD5 authentication by default; if the iDRAC is configured to require a stronger auth type or has MD5 disabled, the session setup path will differ.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.