cbcvebase.
CVE-2017-5816
published 2018-02-15

CVE-2017-5816: A Remote Code Execution vulnerability in HPE Intelligent Management Center (iMC) PLAT version 7.3 E0504P04 was found.

PriorityP184critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
86.47%
99.7th percentile
A Remote Code Execution vulnerability in HPE Intelligent Management Center (iMC) PLAT version 7.3 E0504P04 was found.

Affected

3 ranges
VendorProductVersion rangeFixed in
hewlett_packard_enterpriseintelligent_management_center_plat
hpintelligent_management_center< 7.37.3
hpintelligent_management_center

Detection & IOCsextracted from sources · hover to see the quote

port2810/tcp
commandopcode 10008 (RestartDB) with unsanitized dbInstance field containing command injection via BER-encoded ASN.1 sequence
  • Detect command injection patterns in the dbInstance field of dbman packets: look for shell metacharacters such as double-quote followed by ampersand ("&) within BER-encoded traffic on port 2810.
  • The dbman service responds with the string 'dbman' in its error banner; a probe sending an empty 4-byte opcode 10008 packet ([10008].pack('N')) and receiving a response matching /dbman/i confirms a vulnerable/exposed instance.
  • The exploit runs commands as SYSTEM on Windows; monitor for unexpected child processes spawned by the dbman service (e.g., cmd.exe, powershell.exe) on iMC hosts.
  • The service is unauthenticated; any external TCP connection to port 2810 on an iMC host should be treated as suspicious and investigated.
  • ·The PoC hardcodes a test IP and payload; in real attacks the dbIp field is randomized and the payload will differ — do not rely solely on static IP matching for detection.
  • ·The Metasploit module enforces a payload length limit of 8000 bytes for PowerShell delivery; payloads exceeding this will fail, so very large command strings in the dbInstance field may indicate a non-Metasploit custom exploit.
  • ·The vulnerability affects iMC PLAT versions before 7.3 E0504P04; version 7.2 (E0403) Standard was confirmed tested. Ensure patching to 7.3 E0504P04 or later.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.