H3C Intelligent Management Center (IMC) versions up to and including E0632H07 contains a remote command execution vulnerability in the /byod/index.xhtml endpoint. Improper handling of JSF ViewState allows unauthenticated attackers to craft POST requests with forged javax.faces.ViewState parameters, potentially leading to arbitrary command execution. This flaw does not require authentication and may be exploited without session cookies. An affected version range is undefined. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-08-28 UTC.
CVSS
No CVSS.
References
Configurations
No configuration.
History
28 Aug 2025, 20:15
| Type | Values Removed | Values Added |
|---|---|---|
| Summary | (en) H3C Intelligent Management Center (IMC) versions up to and including E0632H07 contains a remote command execution vulnerability in the /byod/index.xhtml endpoint. Improper handling of JSF ViewState allows unauthenticated attackers to craft POST requests with forged javax.faces.ViewState parameters, potentially leading to arbitrary command execution. This flaw does not require authentication and may be exploited without session cookies. An affected version range is undefined. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-08-28 UTC. |
27 Aug 2025, 22:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-08-27 22:15
Updated : 2025-08-29 16:24
NVD link : CVE-2024-13980
Mitre link : CVE-2024-13980
CVE.ORG link : CVE-2024-13980
JSON object : View
Products Affected
No product.
CWE
CWE-502
Deserialization of Untrusted Data