Security News > 2021 > May > HPE Fixes Critical Zero-Day in Server Management Software
Hewlett Packard Enterprise has fixed a critical zero-day remote code execution flaw in its HPE Systems Insight Manager software for Windows that it originally disclosed in December.
HPE SIM is a tool that enables remote support automation and management for a variety of HPE servers, including the HPE ProLiant Gen10 and HPE ProLiant Gen9, as well as for storage and networking products.
More than a month ago, on April 20, HPE had issued an earlier SIM hotfix update kit that resolves the vulnerability.
"This module exploits this vulnerability by leveraging an outdated copy of Commons Collection, namely 3.2.2, that ships with HPE SIM, to gain remote code execution as the administrative user running HPE SIM," according to Packet Storm.
Wait for HPE SIM web page "Https://SIM IP:50000" to be accessible and execute the following command from command prompt: mxtool -r -f toolsmulti-cms-search.
HPE SIM users will no longer be able to use the federated search feature after using the workaround.
News URL
https://threatpost.com/hpe-fixes-critical-zero-day-sim/166543/
Related news
- Critical flaws fixed in Nagios Log Server (source)
- Hackers Exploit Critical Craft CMS Flaws; Hundreds of Servers Likely Compromised (source)
- Critical Langflow RCE flaw exploited to hack AI app servers (source)
- Apache Parquet exploit tool detect servers vulnerable to critical flaw (source)
- Türkiye Hackers Exploited Output Messenger Zero-Day to Drop Golang Backdoors on Kurdish Servers (source)
- Fortinet fixes critical zero-day exploited in FortiVoice attacks (source)
- Microsoft Fixes 78 Flaws, 5 Zero-Days Exploited; CVSS 10 Bug Impacts Azure DevOps Server (source)
- Russia-Linked APT28 Exploited MDaemon Zero-Day to Hack Government Webmail Servers (source)
- Critical Windows Server 2025 dMSA Vulnerability Enables Active Directory Compromise (source)