QwikSec

Security Database

CVE

CWE

Training

CVE-2024-13980

Published: Aug 27, 2025

Modified: May 15, 2026

PUBLISHED

Description

H3C Intelligent Management Center (IMC) versions up to and including E0632H07 contains a remote command execution vulnerability in the /byod/index.xhtml endpoint. Improper handling of JSF ViewState allows unauthenticated attackers to craft POST requests with forged javax.faces.ViewState parameters, potentially leading to arbitrary command execution. This flaw does not require authentication and may be exploited without session cookies. An affected version range is undefined. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-08-28 UTC.

Vendor	Product	Versions
H3C Group	Intelligent Management Center (iMC)	affected `0 - <= E0632H07`

Weaknesses (CWE)

References

https://blog.csdn.net/nnn2188185/article/details/141065540

exploit

https://github.com/OJZen/FckESC/blob/master/%E5%86%85%E7%BD%91%E7%99%BB%E5%BD%95%E8%BF%87%E7%A8%8B.txt

technical-description

exploit

https://blog.csdn.net/weixin_48539059/article/details/141033966

technical-description

exploit

https://axsec.blog.csdn.net/article/details/141003376

technical-description

exploit

https://www.h3c.com/cn/Service/Online_Help/psirt/

product

https://www.vulncheck.com/advisories/h3c-intelligent-management-center-rce

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.