#VU8006 Remote code execution in HPE integrated Lights Out (iLO 4) - CVE-2017-12542

Cybersecurity Help s.r.o.

Published: 2017-08-24 | Updated: 2021-06-17

Vulnerability identifier: #VU8006

Vulnerability risk: High

CVSSv4.0: 9.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber]

CVE-ID: CVE-2017-12542

CWE-ID: CWE-592

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
HPE integrated Lights Out (iLO 4)
Client/Desktop applications / Plugins for browsers, ActiveX components

Vendor: HPE

Description
The vulnerability allows a remote attacker to compromise the target system.

The weakness exists due to unknown error. A remote attacker can bypass authentication and execute arbitrary code with privileges of the current user.

Mitigation
Update to version 2.53 or later.

Vulnerable software versions

HPE integrated Lights Out (iLO 4): 1.01 - 2.54

External links
https://h20565.www2.hpe.com/hpsc/doc/public/display?docId=hpesbhf03769en_us

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.

Latest bulletins with this vulnerability

Multiple vulnerabilities in HPE Integrated Lights-out 4 (iLO 4), Moonshot, and NonStop Systems

Remote code execution in HPE integrated Lights Out 4