cbcvebase.
CVE-2017-5817
published 2018-02-15

CVE-2017-5817: A Remote Code Execution vulnerability in HPE Intelligent Management Center (iMC) PLAT version 7.3 E0504P04 was found.

PriorityP183critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
82.88%
99.6th percentile
A Remote Code Execution vulnerability in HPE Intelligent Management Center (iMC) PLAT version 7.3 E0504P04 was found.

Affected

3 ranges
VendorProductVersion rangeFixed in
hewlett_packard_enterpriseintelligent_management_center_plat
hpintelligent_management_center< 7.37.3
hpintelligent_management_center

Detection & IOCsextracted from sources · hover to see the quote

port2810/tcp
commandOpCode 10007 (RestoreDBase)
bytes
\x00\x00\x27\x17\x00\x00\x00
bytes
\x73\x61\x22\x26\x20 (injection prefix bytes preceding injected command)
  • Alert on unauthenticated TCP connections to port 2810 containing the OpCode 10007 (bytes \x00\x00\x27\x17) — this is the RestoreDBase request used for exploitation.
  • Detect dbman service responses containing the string 'dbman' on TCP port 2810 as a fingerprint for a vulnerable/exposed iMC dbman instance.
  • Monitor for processes spawned as SYSTEM by the iMC dbman service, particularly cmd.exe or powershell.exe child processes, indicating successful command injection via the unsanitized database username field.
  • Flag Powershell-encoded payloads exceeding 8000 characters originating from the dbman service process, as the Metasploit module uses Powershell for final payload delivery.
  • Inspect TCP port 2810 traffic for the ASN.1/BER-encoded packet structure with shell metacharacters (& and ") embedded in the database username field, which is the injection vector.
  • ·The exploit targets the dbman service only on Windows; the module was tested on iMC PLAT v7.2 (E0403) on Windows 7 SP1 and Windows Server 2008 R2, not Linux deployments.
  • ·The vulnerability is pre-authentication — no credentials are required to trigger the command injection, making network-level blocking of port 2810 the primary mitigation.
  • ·The WfsDelay is set to 15 seconds in the Metasploit module, meaning detection based on connection duration alone may miss the exploit if tuned for shorter timeouts.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.