Exploitation Summary
CVE-2024-13980 has been observed exploited in the wild (reported by VulnCheck KEV).
Description
H3C Intelligent Management Center (IMC) versions up to and including E0632H07 contains a remote command execution vulnerability in the /byod/index.xhtml endpoint. Improper handling of JSF ViewState allows unauthenticated attackers to craft POST requests with forged javax.faces.ViewState parameters, potentially leading to arbitrary command execution. This flaw does not require authentication and may be exploited without session cookies. An affected version range is undefined. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-08-28 UTC.
References (6)
Core 6
Core References
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/h3c-intelligent-management-center-rce
Various Sources exploit
https://blog.csdn.net/nnn2188185/article/details/141065540
Various Sources technical-description
exploit
https://github.com/OJZen/FckESC/blob/master/%E5%86%85%E7%BD%91%E7%99%BB%E5%BD%95%E8%BF%87%E7%A8%8B.txt
Various Sources product
https://www.h3c.com/cn/Service/Online_Help/psirt/
Various Sources technical-description
exploit
https://blog.csdn.net/weixin_48539059/article/details/141033966
Various Sources technical-description
exploit
https://axsec.blog.csdn.net/article/details/141003376
Scores
CVSS v4
10.0
EPSS
0.0118
EPSS Percentile
63.5%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
VulnCheck KEV
2024-08-28
CWE
CWE-502
Status
published
Products (1)
H3C Group/Intelligent Management Center (iMC)
< E0632H07
Published
Aug 27, 2025
Tracked Since
Feb 18, 2026