CVE-2020-26122

moderate-risk

Published 2020-12-07

Inspur NF5266M5 through 3.21.2 and other server M5 devices allow remote code execution via administrator privileges. The Baseboard Management Controller (BMC) program of INSPUR server is weak in checking the firmware and lacks the signature verification mechanism, the attacker who obtains the administrator's rights can control the BMC by inserting malicious code into the firmware program and bypassing the current verification mechanism to upgrade the BMC.

Do I need to act?

0.64% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.2/10 High

NETWORK / LOW complexity

Affected Products (15)

Nf8480M5 Firmware

Nf8260M5 Firmware

Ns5162M5 Firmware

Ns5488M5 Firmware

Ns5484M5 Firmware

Ns5482M5 Firmware

Nf5280M5 Firmware

Nf5468M5 Firmware

Nf5488M5-D Firmware

Nf5180M5 Firmware

Nf5270M5 Firmware

Nf5260M5 Firmware

Nf5266M5 Firmware

Nf5466M5 Firmware

Nf5486M5 Firmware

Affected Vendors

Inspur

References (4)

Broken Link https://en.inspur.com/en/2487134/index.html

Vendor Advisory https://en.inspur.com/en/security_bulletins/security_advisory2/2543921/index.htm...

Broken Link https://en.inspur.com/en/2487134/index.html

Vendor Advisory https://en.inspur.com/en/security_bulletins/security_advisory2/2543921/index.htm...

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 2/34 · Minimal

Exposure 18/34 · Moderate