CVE-2020-11854

CRITICAL EXPLOITED IN THE WILD NUCLEI

Microfocus Application Performance Management - Hard-coded Credentials

Title source: rule

Exploitation Summary

CVE-2020-11854 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 1 public exploit, including a Metasploit module exploits/multi/http/microfocus_ucmdb_unauth_deser. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits CVE-2020-11854 by chaining a hardcoded credentials vulnerability (CVE-2020-11853) with a Java deserialization flaw in Micro Focus UCMDB. It authenticates using the 'diagnostics' user and sends a malicious serialized payload to achieve unauthenticated RCE.

Description

Arbitrary code execution vlnerability in Operation bridge Manager, Application Performance Management and Operations Bridge (containerized) vulnerability in Micro Focus products products Operation Bridge Manager, Operation Bridge (containerized) and Application Performance Management. The vulneravility affects: 1.) Operation Bridge Manager versions 2020.05, 2019.11, 2019.05, 2018.11, 2018.05, 10.63,10.62, 10.61, 10.60, 10.12, 10.11, 10.10 and all earlier versions. 2.) Operations Bridge (containerized) 2020.05, 2019.08, 2019.05, 2018.11, 2018.08, 2018.05. 2018.02 and 2017.11. 3.) Application Performance Management versions 9,51, 9.50 and 9.40 with uCMDB 10.33 CUP 3. The vulnerability could allow Arbitrary code execution.

Exploits (1)

metasploit WORKING POC EXCELLENT

rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/microfocus_ucmdb_unauth_deser.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2020-11854 by chaining a hardcoded credentials vulnerability (CVE-2020-11853) with a Java deserialization flaw in Micro Focus UCMDB. It authenticates using the 'diagnostics' user and sends a malicious serialized payload to achieve unauthenticated RCE.

Classification

Working Poc 100%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Micro Focus UCMDB (versions 2020.05 and below, including Operations Bridge Manager)

No auth needed

Prerequisites: Network access to UCMDB service (port 8443 by default) · Java deserialization gadget chain (CommonsBeanutils1)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Apr 30, 2026 Full analysis →

Nuclei Templates (1)

Micro Focus UCMDB - Remote Code Execution

CRITICALby dwisiswant0

References (5)

Core 5

Core References

Various Sources x_refsource_misc

https://softwaresupport.softwaregrp.com/doc/KM03747658

Various Sources x_refsource_misc

https://softwaresupport.softwaregrp.com/doc/KM03747657

Various Sources x_refsource_misc

https://softwaresupport.softwaregrp.com/doc/KM03747854

Exploit, Third Party Advisory x_refsource_misc

http://packetstormsecurity.com/files/161182/Micro-Focus-UCMDB-Remote-Code-Execution.html

Third Party Advisory x_refsource_misc

https://www.zerodayinitiative.com/advisories/ZDI-20-1287/

Scores

CVSS v3 9.8

EPSS 0.9240

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2024-01-13

InTheWild.io 2024-05-17

CWE

CWE-798

Status published

Products (23)

microfocus/application_performance_management 9.50

microfocus/application_performance_management 9.51

microfocus/application_performance_management 9.40

microfocus/operations_bridge 2017.11

microfocus/operations_bridge 2018.02

microfocus/operations_bridge 2018.05

microfocus/operations_bridge 2018.08

microfocus/operations_bridge 2018.11

microfocus/operations_bridge 2019.05

microfocus/operations_bridge 2019.08

... and 13 more

Published Oct 27, 2020

Tracked Since Feb 18, 2026