Hewlett Packard RCE Vulnerability Allows Attackers to Bypass Authentication and Execute Remote Commands

A critical unauthenticated remote code execution vulnerability (CVE-2024-13804) has been discovered in HPE Insight Cluster Management Utility (CMU) v8.2, enabling attackers to bypass authentication mechanisms and execute commands with root privileges on the backend server.

This high-severity vulnerability affects a tool designed for managing high-performance computing clusters, potentially giving attackers complete control over entire computing environments.

The vulnerability stems from fundamental design flaws in how the CMU application implements client-side authorization checks without proper server-side validation.

By weaponizing the Java client application against the server, attackers can modify client-side code to bypass security restrictions and gain administrative access.

The exploit requires no authentication credentials, making it particularly dangerous for exposed systems.

Navigating The Shadows (0xbad53c) analyst/researcher observed the vulnerability exists within the application’s Java Network Launch Protocol (JNLP) client architecture.

The researcher discovered that by decompiling the application’s JAR file and modifying key authorization checks, the client can be weaponized to send privileged commands to the server via Remote Method Invocation (RMI).

The attack’s severity is amplified by the fact that HPE has designated the software as End-of-Life, meaning it will not receive security patches.

Organizations still utilizing this software are advised to implement strict network-level isolation as their primary mitigation strategy.

Technical Exploitation Analysis

The exploitation process begins with downloading and decompiling the CMU client application (cmugui_standalone.jar), which connects to the backend server over port 1099.

Analysis of the decompiled code revealed multiple instances of client-side “isAdmin” authorization checks, which can be circumvented by simply modifying the following function:-

public Boolean isUserAdmin() {
    try {
        CMUResponse cmuResponse;
        String output = "";
        cmuResponse = ModelDispatcher.getRMIModel().executeCmdLine("ifconfig");
        output = (String)cmuResponse.getData("stdout");
        System.out.println(output);
    } catch (IOException e) {
        e.printStackTrace();
        return this.isAdmin;
    }
    return this.isAdmin;
}

After recompiling the modified client, it can be used to execute arbitrary commands on the server with root privileges via the ModelDispatcher.getRMIModel().executeCmdLine() method, where the attacker successfully executes the “ifconfig” command.

The vulnerability was initially reported to HPE in May 2023 but only received the CVE identifier in January 2025 after extensive follow-up with multiple security organizations, highlighting challenges in the vulnerability disclosure process.

Are You from SOC/DFIR Team? - Try Free Malware Research with ANY.RUN - Start Now