CVE-2013-4786

HIGH EXPLOITED IN THE WILD RANSOMWARE

Fujitsu M10 Firmware < 2290 - Unauthenticated Password Hash Exposure via IPMI RAKP HMAC

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2013-4786 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io), including in ransomware campaigns. EIP tracks 3 public exploits from researchers including Dan Farmer, fin3ss3g0d, including a Metasploit module auxiliary/scanner/ipmi/ipmi_dumphashes.

AI-analyzed exploit summary This Perl script exploits CVE-2013-4786, an information disclosure vulnerability in IPMI 2.0's RAKP protocol. It performs a brute-force attack to guess passwords by extracting HMAC hashes from the BMC's response during session establishment.

Description

The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Dan Farmer · perlremotemultiple
https://www.exploit-db.com/exploits/38633

This Perl script exploits CVE-2013-4786, an information disclosure vulnerability in IPMI 2.0's RAKP protocol. It performs a brute-force attack to guess passwords by extracting HMAC hashes from the BMC's response during session establishment.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Intelligent Platform Management Interface (IPMI) 2.0
No auth needed
Prerequisites: Network access to the target BMC · ipmitool installed on the attacker's system
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 40 stars
by fin3ss3g0d · infoleak
https://github.com/fin3ss3g0d/CosmicRakp

This repository contains a Go-based tool that exploits CVE-2013-4786 to dump IPMI hashes by leveraging the RAKP protocol with 'None' authentication. It includes functionality to scan IP ranges or target files for vulnerable IPMI devices.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: IPMI devices with vulnerable RAKP implementation
No auth needed
Prerequisites: Network access to IPMI port (UDP 623) · Vulnerable IPMI firmware
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ipmi/ipmi_dumphashes.rb

This Metasploit module exploits CVE-2013-4786 to retrieve HMAC-SHA1 password hashes from IPMI 2.0-compatible systems by sending RAKP messages. It supports offline cracking and outputs hashes in formats compatible with hashcat and John the Ripper.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: IPMI 2.0 implementations (e.g., HP iLO 4)
No auth needed
Prerequisites: Network access to UDP port 623 · IPMI 2.0 enabled on target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7

Scores

CVSS v3 7.5
EPSS 0.6873
EPSS Percentile 98.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

VulnCheck KEV 2023-02-14
InTheWild.io 2023-02-15
Ransomware Use Confirmed
CWE
CWE-255
Status published
Products (2)
intel/intelligent_platform_management_interface 2.0
oracle/fujitsu_m10_firmware < 2290
Published Jul 08, 2013
Tracked Since Feb 18, 2026