CVE-2019-3493

Vulnerability

A remote code execution vulnerability exists in Micro Focus Network Automation Software versions 9.20, 9.21, 10.00, 10.10, 10.20, 10.30, 10.40, 10.50, 2018.05, 2018.08, 2018.11 and all versions of Micro Focus Network Operations Management (NOM). The security bulletin [1] describes the issue as a "potential security vulnerability" that can be remotely exploited to achieve arbitrary code execution. No specific component or condition is detailed in the available references, but the vulnerability is accessible over the network.

Exploitation

According to the advisory [1], the vulnerability can be exploited remotely. No authentication, user interaction, or special network position is explicitly required in the published information. An attacker with network access to a vulnerable Micro Focus Network Automation or NOM system could send crafted requests to trigger the code execution. The exact attack vector and sequence of steps are not disclosed in available references.

Impact

Successful exploitation leads to remote code execution on the affected server. An attacker can execute arbitrary commands with the privileges of the application, potentially gaining full control over the Micro Focus Network Automation or NOM installation. This compromises the confidentiality, integrity, and availability of the system.

Mitigation

Micro Focus has released a security bulletin [1] but does not specify a fixed version in the available references. Users should contact Micro Focus support or consult the advisory for patches. No workarounds are described. No known exploitation in the wild has been reported in the referenced document, and the CVE is not listed in the CISA Known Exploited Vulnerabilities catalog.