Arbitrary Command Execution in IBM Global Console Manager Products
CVE-2014-3085

Currently unrated

Key Information:

Vendor: IBM
Status: Global Console Manager 32 Firmware; Global Console Manager 16 Firmware
Vendor: CVE Published:; 17 August 2014

Summary

IBM Global Console Manager switches, specifically the GCM16 and GCM32 models running firmware prior to version 1.20.20.23447, are susceptible to a security flaw that allows authenticated users to execute arbitrary commands. This vulnerability arises from improper handling of the lpres parameter in the systest.php script, which can be exploited through shell metacharacters. Attackers leveraging this weakness could gain unauthorized access and control over the affected systems, potentially leading to security breaches and data compromise.

References

http://packetstormsecurity.com/files/127543/IBM-1754-GCM-...

x_refsource_MISC

http://www.exploit-db.com/exploits/34132/

exploitx_refsource_EXPLOIT-DB

http://www.ibm.com/support/entry/portal/docdisplay?lndoci...

x_refsource_CONFIRM

EPSS Score

25% chance of being exploited in the next 30 days.

Timeline

Vulnerability published
Aug 17, 2014
Vulnerability Reserved
Apr 29, 2014