CVE-2019-5490

CRITICAL

NetApp Service Processor - Command Injection

Title source: llm

Description

Certain versions between 2.x to 5.x (refer to advisory) of the NetApp Service Processor firmware were shipped with a default account enabled that could allow unauthorized arbitrary command execution. Any platform listed in the advisory Impact section may be affected and should be upgraded to a fixed version of Service Processor firmware IMMEDIATELY.

References (2)

[Vendor Advisory] https://security.netapp.com/advisory/ntap-20190305-0001/

[Various Sources] http://support.lenovo.com/us/en/solutions/LEN-26771

Scores

CVSS v3 9.8

EPSS 0.0110

EPSS Percentile 78.2%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-1188

Status published

Products (18)

netapp/service_processor 2.8

netapp/service_processor 3.7

netapp/service_processor 4.5

netapp/service_processor 5.5

netapp/service_processor 2.5

netapp/service_processor 3.4 (3 CPE variants)

netapp/service_processor 4.2 (3 CPE variants)

netapp/service_processor 5.2 (2 CPE variants)

netapp/service_processor 2.4.1 (2 CPE variants)

netapp/service_processor 3.3 (5 CPE variants)

... and 8 more

Published Mar 21, 2019

Tracked Since Feb 18, 2026