CVE-2020-26122 — HIGH (7.2)

Q: How severe is CVE-2020-26122?

CVE-2020-26122 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-26122?

Check the references section above for vendor advisories and patch information. Affected products include: Inspur Nf8480M5 Firmware, Inspur Nf8480M5, Inspur Nf8260M5 Firmware, Inspur Nf8260M5, Inspur Ns5162M5 Firmware.

Vulnerability Description

Inspur NF5266M5 through 3.21.2 and other server M5 devices allow remote code execution via administrator privileges. The Baseboard Management Controller (BMC) program of INSPUR server is weak in checking the firmware and lacks the signature verification mechanism, the attacker who obtains the administrator's rights can control the BMC by inserting malicious code into the firmware program and bypassing the current verification mechanism to upgrade the BMC.

CVSS Score

7.2

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Inspur	Nf8480M5 Firmware	< 1.19.34
Inspur	Nf8480M5	-
Inspur	Nf8260M5 Firmware	< 1.19.34
Inspur	Nf8260M5	-
Inspur	Ns5162M5 Firmware	< 4.5.3
Inspur	Ns5162M5	-
Inspur	Ns5488M5 Firmware	< 1.19.33
Inspur	Ns5488M5	-
Inspur	Ns5484M5 Firmware	< 1.19.33
Inspur	Ns5484M5	-
Inspur	Ns5482M5 Firmware	< 1.19.33
Inspur	Ns5482M5	-
Inspur	Nf5280M5 Firmware	< 4.26.6
Inspur	Nf5280M5	-
Inspur	Nf5468M5 Firmware	< 1.18.51
Inspur	Nf5468M5	-
Inspur	Nf5488M5-D Firmware	< 1.18.51
Inspur	Nf5488M5-D	-
Inspur	Nf5180M5 Firmware	< 4.18.2
Inspur	Nf5180M5	-

Related Weaknesses (CWE)

CWE-347

References

https://en.inspur.com/en/2487134/index.htmlBroken Link
https://en.inspur.com/en/security_bulletins/security_advisory2/2543921/index.htmVendor Advisory
https://en.inspur.com/en/2487134/index.htmlBroken Link
https://en.inspur.com/en/security_bulletins/security_advisory2/2543921/index.htmVendor Advisory

FAQ

What is CVE-2020-26122?

CVE-2020-26122 is a vulnerability with a CVSS score of 7.2 (HIGH). Inspur NF5266M5 through 3.21.2 and other server M5 devices allow remote code execution via administrator privileges. The Baseboard Management Controller (BMC) program of INSPUR server is weak in check...

How severe is CVE-2020-26122?

CVE-2020-26122 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-26122?

Check the references section above for vendor advisories and patch information. Affected products include: Inspur Nf8480M5 Firmware, Inspur Nf8480M5, Inspur Nf8260M5 Firmware, Inspur Nf8260M5, Inspur Ns5162M5 Firmware.