cbcvebase.
CVE-2020-7136
published 2020-04-30

CVE-2020-7136: A security vulnerability in HPE Smart Update Manager (SUM) prior to version 8.5.6 could allow remote unauthorized access. Hewlett Packard Enterprise has…

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
79.52%
99.6th percentile
A security vulnerability in HPE Smart Update Manager (SUM) prior to version 8.5.6 could allow remote unauthorized access. Hewlett Packard Enterprise has provided a software update to resolve this vulnerability in HPE Smart Update Manager (SUM) prior to 8.5.6. Please visit the HPE Support Center at https://support.hpe.com/hpesc/public/home to download the latest version of HPE Smart Update Manager (SUM). Download the latest version of HPE Smart Update Manager (SUM) or download the latest Service Pack For ProLiant (SPP).

Affected

2 ranges
VendorProductVersion rangeFixed in
hewlett_packard_enterprisesmart_update_manager
hpesmart_update_manager< 8.5.68.5.6

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /session/create HTTP/1.1
urlGET /session/{sessionid}/node/index HTTP/1.1
command{"hapi":{"username":"Administrator","password":"any_password","language":"en","mode":"gui", "usesshkey":true, "privatekey":"any_privateky", "passphrase":"any_passphase","settings":{"output_filter":"passed","port_number":"444"}}}
port444
  • Detect exploitation attempts by monitoring POST requests to /session/create with a JSON body containing 'usesshkey':true — this is the auth-bypass trigger using an SSH key flag to skip password validation.
  • A successful exploit response will contain all three strings in the body: 'hmessage', 'Command completed successfully.', and 'node_name' — match all three (AND condition) to confirm exploitation.
  • After session creation, attackers will follow up with GET /session/<sessionid>/node/index to enumerate nodes — monitor for this pattern with a valid sessionId extracted from a prior /session/create response.
  • The sessionId format used in follow-on requests matches the regex pattern '[a-z0-9.]+' — use this to identify active sessions created via the bypass.
  • Content-Type header is application/json on the exploit POST — combine with the /session/create path and usesshkey field in the body for a high-fidelity detection rule.
  • ·The exploit payload uses 'usesshkey':true with arbitrary/dummy values for privatekey and passphrase, indicating the vulnerability is an authentication bypass (CWE-288) that does not actually validate SSH key material — any value triggers the bypass.
  • ·The vulnerability affects HPE Smart Update Manager (SUM) versions strictly prior to 8.5.6; version 8.5.6 and later are not affected.
  • ·The exploit targets port 444 as specified in the settings payload — HPE SUM may be running on a non-standard HTTPS port; ensure network monitoring covers port 444.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.