CRITICAL🇵🇱 Wersja polska

CVE-2024-13980

CVSS 10.0v4.0pub. 2025-08-27upd. 2026-04-15

H3C Intelligent Management Center (IMC) versions up to and including E0632H07 contains a remote command execution vulnerability in the /byod/index.xhtml endpoint. Improper handling of JSF ViewState allows unauthenticated attackers to craft POST requests with forged javax.faces.ViewState parameters, potentially leading to arbitrary command execution. This flaw does not require authentication and may be exploited without session cookies. An affected version range is undefined. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-08-28 UTC.

🤖 AI Analysis
How it works

The vulnerability results from improper handling of the javax.faces.ViewState parameter in the JSF (JavaServer Faces) mechanism — this is an unsafe deserialization error (CWE-502). An attacker can send a crafted HTTP POST request to the /byod/index.xhtml endpoint with a forged javax.faces.ViewState parameter containing a malicious payload. The server deserializes this parameter without verifying its origin or integrity, leading to execution of arbitrary commands in the context of the application process. Exploitation does not require a valid session token or authentication cookies.

Impact

An unauthenticated remote attacker can gain full control over the server running H3C IMC by executing arbitrary system commands. As a result, it is possible to compromise the network management system, disclose configuration data, and perform lateral movement within the infrastructure managed by IMC.

Mitigation & patch

Security patches available from the vendor should be applied according to the references (https://www.h3c.com/cn/Service/Online_Help/psirt/). Until the patch is implemented, it is recommended to restrict network access to the /byod/index.xhtml endpoint using firewall or ACL rules and to isolate the IMC management interface from public networks and untrusted segments.

Who is affected

H3C Intelligent Management Center (IMC) in versions up to and including E0632H07; the exact scope of vulnerable versions has not been definitively defined by the vendor.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth BypassDeserialization
CWE
References