CVE-2024-13804
Published: 30 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2024-13804 is an unauthenticated remote code execution (RCE) vulnerability affecting the HPE Insight Cluster Management Utility. Classified under CWE-287 (Improper Authentication), it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for high-impact exploitation over the network with low complexity and no privileges required.
Unauthenticated remote attackers who can reach the affected HPE Insight Cluster Management Utility over the network can exploit this flaw without user interaction. Successful exploitation enables arbitrary code execution on the target system, resulting in high confidentiality, integrity, and availability impacts.
Mitigation guidance and additional details, including vulnerability research and potential patches, are documented in the referenced publication at https://red.0xbad53c.com/vulnerability-research/rce-in-hpe-insight-cluster-management-utility-cve-2024-13804. Security practitioners should consult this source and monitor for official HPE advisories.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes an unauthenticated RCE vulnerability in a public-facing HPE management utility (CWE-287), directly enabling exploitation of public-facing applications over the network with no authentication required.