CVE-2017-12500
published 2018-02-15CVE-2017-12500: A Remote Code Execution vulnerability in HPE Intelligent Management Center (iMC) PLAT version PLAT 7.3 (E0504) was found. The problem was resolved in HPE…
PriorityP272high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
15.00%
96.3th percentile
A Remote Code Execution vulnerability in HPE Intelligent Management Center (iMC) PLAT version PLAT 7.3 (E0504) was found. The problem was resolved in HPE Intelligent Management Center PLAT v7.3 (E0506) or any subsequent version.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hewlett_packard_enterprise | intelligent_management_center_plat | — | — |
| hp | intelligent_management_center | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandfacesContext.getExternalContext().redirect("".getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("JavaScript").eval("var proc=new java.lang.ProcessBuilder[\"(java.lang.String[])\"]([\"cmd.exe\",\"/c\",\"<CMD>\")).start();")↗
- →Alert on HTTP requests to HPE iMC (ports 8080/8443) where the 'beanName' query parameter contains URL-encoded EL expressions referencing 'ScriptEngineManager', 'ProcessBuilder', or 'cmd.exe'. ↗
- →A successful exploitation attempt results in an HTTP 302 redirect response from the server; absence of 302 indicates injection failure per the exploit logic. ↗
- →The exploit is unauthenticated; monitor for requests to /imc/primepush/ from unauthenticated sessions (no valid session cookie) as a high-fidelity indicator of exploitation attempts. ↗
- →Default Metasploit payload for this module is 'cmd/windows/reverse_powershell'; monitor for outbound PowerShell reverse shell connections from the iMC server process. ↗
- ·The exploit targets iMC PLAT versions prior to 7.3 E0504P04; the default listening ports are 8080 (HTTP) and 8443 (HTTPS) — detections should be scoped to these ports unless the deployment uses non-default ports. ↗
- ·The exploit was tested on Windows Server 2012R2 x64 (EN) only; the attack path and payload (cmd.exe /c) are Windows-specific and detections may need adjustment for other OS deployments. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://www.securityfocus.com/bid/100367http://www.securitytracker.com/id/1039152https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03768en_ushttps://www.exploit-db.com/exploits/44648/http://www.securityfocus.com/bid/100367http://www.securitytracker.com/id/1039152https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03768en_ushttps://www.exploit-db.com/exploits/44648/
2018-02-15
Published