CVE-2017-2751

MEDIUM

HP 240 G1 Firmware < f.48 - Insufficiently Protected Credentials

Title source: rule

Description

A BIOS password extraction vulnerability has been reported on certain consumer notebooks with firmware F.22 and others. The BIOS password was stored in CMOS in a way that allowed it to be extracted. This applies to consumer notebooks launched in early 2014.

Exploits (1)

nomisec WRITEUP 1 stars

by BaderSZ · poc

https://github.com/BaderSZ/CVE-2017-2751

View Code ZIP pw:eip

References (1)

[Vendor Advisory] https://support.hp.com/us-en/document/c05913581

Scores

CVSS v3 4.6

EPSS 0.0438

EPSS Percentile 88.8%

Attack Vector PHYSICAL

CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-522

Status published

Affected Products (34)

hp/hp_240_g1_firmware < f.48

hp/hp_245_g1_firmware < f.48

hp/hp_1000-1300_firmware < f.48

hp/hp_250_g1_notebook_pc_firmware < f.47

hp/hp_255_g1_notebook_pc_firmware < f.47

hp/hp_envy_15-j000_firmware < f.22

hp/hp_envy_15-j100_firmware < f.71

hp/hp_pavilion_15-n000_firmware < f.72

hp/hp_246_firmware < f.04

hp/hp_455_firmware < f.08

hp/hp_envy_17_j100_firmware < f.71

hp/hp_envy_17-j100_leap_motion_se_firmware < f.71

hp/hp_split_13-g200_firmware < f.25

hp/hp_envy_100_firmware < f.22

hp/hp_pavilion_14-n000_firmware < f.72

... and 19 more

Timeline

Published Oct 03, 2018

Tracked Since Feb 18, 2026