Remote code execution in HPE Systems Insight Manager
| Risk | High |
| Patch available | NO |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2020-7200 |
| CWE-ID | CWE-502 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software Subscribe |
HP Systems Insight Manager Client/Desktop applications / Software for system administration |
| Vendor | Hewlett Packard Enterprise Development LP |
Security Bulletin
This security bulletin contains information about 1 vulnerabilities.
Updated: 18.12.2020
Updated vulnerability description and CVSS score. Raised vulnerability risk level from Medium to High.
1) Deserialization of Untrusted Data
EUVDB-ID: #VU49093
Risk: High
CVSSv3.1: 8.1 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2020-7200
CWE-ID:
CWE-502 - Deserialization of Untrusted Data
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data passed via AMF protocol. A remote non-authenticated attacker can pass specially crafted data to the application and execute arbitrary code with SYSTEM privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsHP Systems Insight Manager: 7.6
External linkshttp://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=
http://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04068en_us
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
