Local Arbitrary Code Execution in HPE Integrated Lights-Out 5 Firmware
CVE-2022-28630

7.3HIGH

Key Information:

Vendor: HP
Status: HP Integrated Lights-out 5 (ilo 5)
Vendor: CVE Published:; 12 August 2022

What is CVE-2022-28630?

A local arbitrary code execution vulnerability has been identified in the HPE Integrated Lights-Out 5 (iLO 5) firmware, specifically in versions prior to 2.71. This weakness allows an unprivileged user to exploit the system locally, executing arbitrary code that can compromise confidentiality and integrity. Although user interaction is necessary for the exploit, the consequences include a substantial risk to system availability. HPE has released a firmware update to address this critical vulnerability. For more details, visit the official documentation at HPE.

Affected Version(s)

HPE Integrated Lights-Out 5 (iLO 5) Prior to 2.71

References

https://support.hpe.com/hpsc/doc/public/display?docLocale...

x_refsource_MISC

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 12, 2022
Vulnerability Reserved
Apr 4, 2022