cbcvebase.
CVE-2016-4372
published 2016-07-15

CVE-2016-4372: HPE iMC PLAT before 7.2 E0403P04, iMC EAD before 7.2 E0405P05, iMC APM before 7.2 E0401P04, iMC NTA before 7.2 E0401P01, iMC BIMS before 7.2 E0402P02, and iMC…

PriorityP279critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
19.44%
97.0th percentile
HPE iMC PLAT before 7.2 E0403P04, iMC EAD before 7.2 E0405P05, iMC APM before 7.2 E0401P04, iMC NTA before 7.2 E0401P01, iMC BIMS before 7.2 E0402P02, and iMC UAM_TAM before 7.2 E0405P05 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.

Affected

6 ranges
VendorProductVersion rangeFixed in
hpintelligent_management_center_application_performance_manager<= 7.2
hpintelligent_management_center_branch_intelligent_management_system<= 7.2
hpintelligent_management_center_endpoint_admission_defense<= 7.2
hpintelligent_management_center_network_traffic_analyzer<= 7.2
hpintelligent_management_center_platform<= 7.2
hpintelligent_management_center_user_access_management<= 7.2

Detection & IOCsextracted from sources · hover to see the quote

url/imc/topo/WebDMServlet
url/rptviewer/servlets/redirectviewer
port8880
  • Monitor for HTTP POST requests to /imc/topo/WebDMServlet containing serialized Java object payloads (Apache Commons Collections gadget chain). The exploit sends raw binary payload data directly in the POST body.
  • Monitor for HTTP requests to /rptviewer/servlets/redirectviewer, which is associated with the readObject deserialization call and path traversal issues in HPE iMC.
  • Detect use of CommonsCollections3 gadget chain in deserialization payloads targeting HPE iMC. Look for Java serialization magic bytes (0xACED0005) in POST bodies to iMC endpoints.
  • Alert on outbound ICMP or network connections from the iMC server process to unexpected external IPs, which may indicate successful exploitation via the ping-based PoC callback.
  • ·The default iMC service port used in the PoC is 8880 (HTTPS). Deployments may vary; ensure scanning/detection covers the actual configured port.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.