Attacker Value
Very High
(1 user assessed)
Exploitability
Very Low
(1 user assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Network
1

CVE-2021-3723

Disclosure Date: November 12, 2021
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A command injection vulnerability was reported in the Integrated Management Module (IMM) of legacy IBM System x 3550 M3 and IBM System x 3650 M3 servers that could allow the execution of operating system commands over an authenticated SSH or Telnet session.

Add Assessment

1
Ratings
Technical Analysis

IBM Integrated Management Module (IMM) have some default admin credentials (USERID / PASSW0RD). The default credentials are working on the WebUI as well as on telnet and SSH that are accessible by default. The vulnerability allows to inject system commands. However the big tradeoff is that the exploit is not public.

CVSS V3 Severity and Metrics
Base Score:
8.8 High
Impact Score:
5.9
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • ibm

Products

  • system x3550 m3 firmware,
  • system x3650 m3 firmware

Additional Info

Technical Analysis