CVE-2020-7150
📋 TL;DR
This is a critical expression language injection vulnerability in HPE Intelligent Management Center (iMC) that allows remote attackers to execute arbitrary code on affected systems. Attackers can exploit this vulnerability without authentication to gain full control of the iMC server. Organizations running iMC PLAT versions prior to 7.3 (E0705P07) are affected.
💻 Affected Systems
- HPE Intelligent Management Center (iMC)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the iMC server leading to lateral movement within the network, data exfiltration, and persistent backdoor installation.
Likely Case
Remote code execution resulting in iMC server compromise, potential credential theft, and network reconnaissance.
If Mitigated
Limited impact if proper network segmentation and access controls prevent external access to iMC interfaces.
🎯 Exploit Status
CVSS 9.8 indicates trivial exploitation with high impact. Public exploit code exists for similar expression language injection vulnerabilities in iMC.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: iMC PLAT 7.3 (E0705P07) or later
Vendor Advisory: https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbnw04036en_us
Restart Required: Yes
Instructions:
1. Download iMC PLAT 7.3 (E0705P07) or later from HPE support portal. 2. Backup current iMC configuration and database. 3. Stop all iMC services. 4. Apply the patch/upgrade following HPE documentation. 5. Restart iMC services and verify functionality.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict network access to iMC management interfaces to trusted IP addresses only
# Example firewall rule (Linux): iptables -A INPUT -p tcp --dport 8080 -s trusted_ip_range -j ACCEPT
# Example firewall rule (Windows): New-NetFirewallRule -DisplayName "Restrict iMC Access" -Direction Inbound -LocalPort 8080 -Protocol TCP -RemoteAddress trusted_ip_range -Action Allow
🧯 If You Can't Patch
- Isolate iMC server in a dedicated VLAN with strict access controls
- Implement web application firewall (WAF) with expression language injection protection rules
🔍 How to Verify
Check if Vulnerable:
Check iMC version via web interface (Help → About) or by examining installation directory version filesCheck Version:
# On iMC server: cat /opt/iMC/client/version.txt (Linux) or check C:\Program Files\iMC\client\version.txt (Windows)Verify Fix Applied:
Verify version is iMC PLAT 7.3 (E0705P07) or later and test that faultstatchoosefaulttype functionality works without errors📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to faultstatchoosefaulttype endpoints
- Java expression language patterns in web logs (${, #{, etc.)
- Unexpected process execution from iMC Java processes
Network Indicators:
- HTTP requests containing expression language payloads to iMC ports (typically 8080, 8443)
- Outbound connections from iMC server to unexpected destinations
SIEM Query:
source="iMC_logs" AND (uri="*faultstatchoosefaulttype*" AND (body="${*" OR body="#{"))