CVE-2017-12542

CRITICAL EXPLOITED IN THE WILD RANSOMWARE NUCLEI

HP Integrated Lights-Out 4 Firmware < 2.53 - Authentication Bypass and Remote Code Execution

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2017-12542 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io), including in ransomware campaigns. EIP tracks 6 public exploits from researchers including skelsec, sk1dish, Gill-Singh-A, including a Metasploit module auxiliary/admin/hp/hp_ilo_create_admin_account. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit triggers a stack-based buffer overflow in HP iLO by sending a crafted 'Connection' header with an oversized value (29 'A' characters). It can test for vulnerability by listing users or exploit it by creating a new admin account via the REST API.

Description

A authentication bypass and execution of code vulnerability in HPE Integrated Lights-out 4 (iLO 4) version prior to 2.53 was found.

Exploits (6)

exploitdb WORKING POC
by skelsec · pythonremotemultiple
https://www.exploit-db.com/exploits/44005

This exploit triggers a stack-based buffer overflow in HP iLO by sending a crafted 'Connection' header with an oversized value (29 'A' characters). It can test for vulnerability by listing users or exploit it by creating a new admin account via the REST API.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: HP iLO (Integrated Lights-Out) firmware versions affected by CVE-2017-12542
No auth needed
Prerequisites: Network access to the iLO interface · HTTPS access to the REST API endpoint
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 89 stars
by skelsec · remote
https://github.com/skelsec/CVE-2017-12542

This PoC exploits CVE-2017-12542, a buffer overflow vulnerability in HP iLO4, to create a new admin user. It includes both a test function to check for vulnerability and an exploit function to add a privileged user.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: HP iLO4
No auth needed
Prerequisites: Network access to the target iLO interface
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER 5 stars
by sk1dish · remote
https://github.com/sk1dish/ilo4-rce-vuln-scanner

This repository contains a Python script that scans for HP iLO 4 devices vulnerable to CVE-2017-12542 by checking version information via an unauthenticated API endpoint. It does not exploit the vulnerability but identifies potentially vulnerable targets.

Classification
Scanner 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: HP iLO 4 (versions <= 2.53)
No auth needed
Prerequisites: Network access to target iLO 4 devices
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by Gill-Singh-A · remote
https://github.com/Gill-Singh-A/CVE-2017-12542-Exploit

This repository contains a functional Python exploit for CVE-2017-12542, an authentication bypass vulnerability in HP iLO firmware. The exploit demonstrates unauthenticated access to the iLO REST API, allowing account enumeration and administrative user creation via malformed HTTP headers.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: HP Integrated Lights-Out (iLO) firmware
No auth needed
Prerequisites: Python 3.x · requests library · colorama library · network access to target iLO device
devstral-2 · analyzed Apr 10, 2026 Full analysis →
nomisec WORKING POC
by VijayShankar22 · remote
https://github.com/VijayShankar22/CVE-2017-12542

This PoC exploits CVE-2017-12542, a vulnerability in HP iLO servers, by sending a malformed 'Connection' header to bypass authentication and create an admin user. It includes both vulnerability checking and exploitation capabilities.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: HP iLO (Integrated Lights-Out) firmware versions 4 and 5
No auth needed
Prerequisites: Network access to the target iLO interface · iLO interface exposed on the network
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/hp/hp_ilo_create_admin_account.rb

This Metasploit module exploits an authentication bypass vulnerability in HP iLO 4 (CVE-2017-12542) by triggering a buffer overflow in the Connection HTTP header handling. It allows the creation of an arbitrary administrator account via the REST API.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: HP iLO 4 versions 1.00 to 2.50
No auth needed
Prerequisites: Network access to the target HP iLO 4 interface · SSL/TLS enabled on port 443
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

HPE Integrated Lights-out 4 (ILO4) <2.53 - Authentication Bypass
CRITICALby pikpikcu

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/100467
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1039222
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44005/

Scores

CVSS v3 10.0
EPSS 0.9425
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Details

VulnCheck KEV 2021-04-12
InTheWild.io 2022-05-25
Ransomware Use Confirmed
Status published
Products (1)
hp/integrated_lights-out_4_firmware < 2.53
Published Feb 15, 2018
Tracked Since Feb 18, 2026