CVE-2024-13980

critical

Description

H3C Intelligent Management Center (IMC) versions up to and including E0632H07 contains a remote command execution vulnerability in the /byod/index.xhtml endpoint. Improper handling of JSF ViewState allows unauthenticated attackers to craft POST requests with forged javax.faces.ViewState parameters, potentially leading to arbitrary command execution. This flaw does not require authentication and may be exploited without session cookies. An affected version range is undefined.

References

Exploits
More

https://github.com/OJZen/FckESC/blob/master/%E5%86%85%E7%BD%91%E7%99%BB%E5%BD%95%E8%BF%87%E7%A8%8B.txt

https://blog.csdn.net/weixin_48539059/article/details/141033966

https://blog.csdn.net/nnn2188185/article/details/141065540

https://axsec.blog.csdn.net/article/details/141003376

https://www.vulncheck.com/advisories/h3c-intelligent-management-center-rce

https://www.h3c.com/cn/Service/Online_Help/psirt/

Details

Source: Mitre, NVD

Published: 2025-08-27

Updated: 2025-08-27

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

CVSS v4

Base Score: 10

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Severity: Critical