Hewlett Packard Enterprise (HPE) has disclosed a zero-day remote code execution flaw that affects the latest versions of its HPE Systems Insight Manager (SIM) software for Windows and Linux.
HPE SIM is a management and remote support automation solution for multiple HPE solutions, including servers, storage, and networking products.
The flaw stems from the lack of proper validation of user-supplied data that can result in the deserialization of untrusted data. The vulnerability could be exploited by attackers with no privileges without user interaction.
“A potential security vulnerability has been identified in HPE Systems Insight Manager (SIM) version 7.6. The vulnerability could be exploited to allow remote code execution.” reads the security advisory.
At the time of this writing, the issue is yes to be fixed, the IT giant only provided mitigations for Windows while it is working to address the issue.
The zero-day flaw, tracked as CVE-2020-7200, was discovered by the researcher Harrison Neal that reported it through the Trend Micro’s Zero Day Initiative.
The vulnerability affects HPE Systems Insight Manager (SIM) 7.6.x., it received a severity score of 9.8/10.
HPE did not reveal if it is aware of attacks in the wild exploiting the zero-day vulnerability.
To avoid exploitation of the issue, the company recommends removing the “Federated Search” & “Federated CMS Configuration” feature with this step-by-step procedure:
(SecurityAffairs – hacking, HPE Systems Insight Manager)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.