CVE-2019-6260

CRITICAL LAB

ASPEED ast2400/2500 - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2019-6260. PoCs published by nikitapbst.

AI-analyzed exploit summary This repository contains a functional proof-of-concept tool for exploiting CVE-2019-6260, which targets ASPEED BMC AHB interfaces. The tool provides arbitrary read/write access to BMC memory and firmware via multiple interfaces (P2A, iLPC2AHB, LPC2AHB, Debug UART).

Description

The ASPEED ast2400 and ast2500 Baseband Management Controller (BMC) hardware and firmware implement Advanced High-performance Bus (AHB) bridges, which allow arbitrary read and write access to the BMC's physical address space from the host (or from the network in unusual cases where the BMC console uart is attached to a serial concentrator). This CVE applies to the specific cases of iLPC2AHB bridge Pt I, iLPC2AHB bridge Pt II, PCIe VGA P2A bridge, DMA from/to arbitrary BMC memory via X-DMA, UART-based SoC Debug interface, LPC2AHB bridge, PCIe BMC P2A bridge, and Watchdog setup.

Exploits (2)

nomisec WORKING POC 5 stars

by nikitapbst · poc

https://github.com/nikitapbst/cve-2019-6260

View Code ZIP pw:eip

This repository contains a functional proof-of-concept tool for exploiting CVE-2019-6260, which targets ASPEED BMC AHB interfaces. The tool provides arbitrary read/write access to BMC memory and firmware via multiple interfaces (P2A, iLPC2AHB, LPC2AHB, Debug UART).

Classification

Working Poc 95%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: ASPEED BMC (AST2400, AST2500)

No auth needed

Prerequisites: Physical or logical access to BMC interfaces (PCIe, LPC, UART) · Target BMC in development or IO-Expander mode

MITRE ATT&CK

T1200 - Hardware Additions T1542 - Pre-OS Boot

devstral-2 · analyzed Feb 16, 2026 Full analysis →

inthewild WORKING POC

poc

https://github.com/amboar/cve-2019-6260

View Code ZIP pw:eip

This repository contains a functional tool (`culvert`) designed to test and debug BMC AHB bridges, which can be exploited to achieve arbitrary read/write access to BMC memory and firmware. The tool supports multiple interfaces (P2A, iLPC2AHB, LPC2AHB, Debug UART) and includes features for probing, firmware reflashing, and memory manipulation.

Classification

Working Poc 95%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: ASPEED BMC (AST2400, AST2500, AST2600)

No auth needed

Prerequisites: Physical or logical access to BMC interfaces (PCIe, LPC, UART) · Target BMC in development or IO-Expander mode

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (3)

Core 3

Core References

Third Party Advisory x_refsource_misc

https://www.flamingspork.com/blog/2019/01/23/cve-2019-6260:-gaining-control-of-bmc-from-the-host-processor/

Patch, Third Party Advisory x_refsource_confirm

https://security.netapp.com/advisory/ntap-20190314-0001/

Third Party Advisory x_refsource_confirm

https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2019-785

Scores

CVSS v3 9.8

EPSS 0.0201

EPSS Percentile 84.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY

Community Lab

docker pull mcr.microsoft.com/devcontainers/base:ubuntu

https://github.com/nikitapbst/cve-2019-6260

https://github.com/amboar/cve-2019-6260

View in Library

Details

Status published

Products (3)

aspeedtech/ast2400_firmware

aspeedtech/ast2500_firmware

netapp/fas\/aff_baseboard_management_controller

Published Jan 22, 2019

Tracked Since Feb 18, 2026