According to a statement from Tenable, HPE iMC is used for end-to-end business management of IT, scalability of system architecture and accommodation of new technology and infrastructure. It is used by medium to large enterprises and scales from hundreds to thousands of devices.
Tenable security researcher Chris Lyne said in a blog post that the company had released an advisory on 20 March detailing two flaws in HPE iMC 7.3 E0605P06 that could allow a remote unauthenticated attacked to gain admin privileges.
He said these vulnerabilities had been detailed to HPE on 14 December 2018. On 9 May, HPE released a patch which was claimed to fix the issues.
"This means there are (at least) two unpatched, known vulnerabilities in iMC with a CVSSv2 base score of 10.0. Basically, these bugs have been lurking around without proper patches since December 2018."
The technical aspects of the two vulnerabilities have been detailed by Lyne in his post. One is a command injection and the other a buffer overflow.
Contacted for comment, an HPE spokesperson responded: "Security is a top priority at HPE. In May 2019, HPE released a patch to address this issue. When we learned the fix was insufficient, we created a more extensive remedy. This patch has required a great deal of testing to ensure it causes no negative impacts to customers, and the development team is working hard to finalise a complete solution.”