CVE-2009-4188

HP Operations Dashboard - Unauthenticated Remote Code Execution via Default j2deployer Credentials

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2009-4188. PoCs published by Intevydis, MC, jduck, including Metasploit module auxiliary/scanner/http/tomcat_mgr_login.

AI-analyzed exploit summary The entry describes an authentication bypass vulnerability in HP Operations Dashboard 2.1 for Windows, where default credentials (j2deployer:j2deployer) can be exploited for unauthorized access. No functional exploit code is provided, but it references readily available tools for exploitation.

Description

HP Operations Dashboard has a default password of j2deployer for the j2deployer account, which allows remote attackers to execute arbitrary code via a session that uses the manager role to conduct unrestricted file upload attacks against the /manager servlet in the Tomcat servlet container. NOTE: this might overlap CVE-2009-3098.

Exploits (5)

exploitdb WRITEUP VERIFIED
by Intevydis · textremotemultiple
https://www.exploit-db.com/exploits/33211

The entry describes an authentication bypass vulnerability in HP Operations Dashboard 2.1 for Windows, where default credentials (j2deployer:j2deployer) can be exploited for unauthorized access. No functional exploit code is provided, but it references readily available tools for exploitation.

Classification
Writeup 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: HP Operations Dashboard 2.1 for Windows
No auth needed
Prerequisites: Network access to the target system · Default credentials not changed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit SCANNER
by MC · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/tomcat_mgr_login.rb

This Metasploit module is a login utility for Tomcat Application Manager, designed to brute-force or test credentials against the manager interface. It does not exploit a vulnerability but scans for weak or default credentials.

Classification
Scanner 100%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Apache Tomcat (various versions)
Auth required
Prerequisites: Access to Tomcat Manager interface · List of usernames/passwords or default credentials
devstral-2 · analyzed Jun 05, 2026 Full analysis →
exploitdb WORKING POC
rubyremotemultiple
https://www.exploit-db.com/exploits/16317

This Metasploit module exploits Apache Tomcat's Manager application to deploy a malicious WAR archive containing a JSP payload, achieving remote code execution. It supports multiple platforms and architectures, and includes automatic target detection.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Tomcat (with exposed Manager application)
Auth required
Prerequisites: Valid credentials for Tomcat Manager · Exposed Tomcat Manager interface
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
rubypocjava
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/tomcat_mgr_upload.rb

This Metasploit module exploits Apache Tomcat's manager application to upload and execute a malicious WAR archive containing a JSP payload. It handles authentication, CSRF token extraction, and payload deployment/cleanup.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Tomcat (versions with exposed manager application)
Auth required
Prerequisites: Valid credentials for Tomcat manager · Exposed Tomcat manager interface · Network access to target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by jduck · rubypocjava
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/tomcat_mgr_deploy.rb

This Metasploit module exploits Apache Tomcat's manager application to deploy a malicious WAR archive containing a JSP payload, achieving remote code execution. It supports multiple platforms (Java, Linux, Windows) and includes automatic target detection.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Tomcat (multiple versions with exposed manager app)
Auth required
Prerequisites: Valid credentials for Tomcat manager · Exposed manager application (/manager)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/36258
Various Sources x_refsource_misc
http://www.intevydis.com/blog/?p=87

Scores

EPSS 0.8783
EPSS Percentile 99.5%

Details

CWE
CWE-255
Status published
Products (1)
hp/operations_dashboard
Published Dec 03, 2009
Tracked Since Feb 18, 2026