Arbitrary code execution vulnerability on multiple Micro Focus products
Description
Micro Focus products (OBM, APM, DCA, etc.) contain an arbitrary code execution vulnerability allowing authenticated remote attackers to execute code.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Micro Focus products (OBM, APM, DCA, etc.) contain an arbitrary code execution vulnerability allowing authenticated remote attackers to execute code.
Vulnerability
CVE-2020-11853 is an arbitrary code execution vulnerability in the Operations Bridge Manager (OBM) capability, which is deployed in multiple Micro Focus products [1]. Affected products include Operations Bridge Manager (versions 2020.05, 2019.11, 2019.05, 2018.11, 2018.05, 10.6x, and older), Application Performance Management (9.51, 9.50, 9.40 with uCMDB 10.33 CUP 3), Data Center Automation (2019.11), Operations Bridge containerized (multiple versions from 2017.11 to 2019.11), Universal CMDB (multiple versions from 10.30 to 2020.05), Hybrid Cloud Management (2020.05), and Service Management Automation (2020.5 and 2020.02) [2][3][4].
Exploitation
An attacker must have network access to the affected application and be authenticated as a valid user [1][2][4]. With these prerequisites, the attacker can send crafted requests to the OBM component to execute arbitrary code [1]. No user interaction is required beyond the initial authentication.
Impact
Successful exploitation allows the attacker to execute arbitrary code on the affected system [1]. This can lead to full compromise of confidentiality, integrity, and availability (CVSS 8.8, AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) [4]. The attacker gains the same privileges as the application, which may be elevated depending on the deployment.
Mitigation
Micro Focus has released security updates for all affected products [1][2][3][4]. Customers should apply the latest patches from the Micro Focus support portal. If immediate patching is not possible, restrict network access to the OBM service and enforce strong authentication. No workarounds are documented.
- KM03747854 - Operations Bridge (containerized). Arbitrary code execution vulnerabilities
- KM03747658 - Operation Bridge Manager. arbitrary code execution vulnerabilities
- Data Center Automation. Arbitrary code execution, CVE-2020-11853.
- KM03747657 - Application Performance Management. Arbitrary code execution vulnerabilities
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
102019.11+ 1 more
- (no CPE)range: 2019.11
- (no CPE)range: 2019.11
- Range: 9.51, 9.50 and 9.40 with uCMDB 10.33 CUP 3
- Range: 2020.05, 2019.11, 2019.05, 2018.11, 2018.05, 10.6x, 10.1x and older
- Micro Focus/Application Performance Managementv5Range: 9.51
- Range: 2018.05
- Micro Focus/Operation Bridge Managerv5Range: 2020.5
- Range: 2019.11
- Micro Focus/Service Management Automationv5Range: 2020.05
- Micro Focus/Universal CMDBv5Range: 2020.05
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Unspecified vulnerability in multiple Micro Focus products allows remote authenticated users to execute arbitrary code."
Attack vector
An attacker with network access and valid application user credentials can trigger arbitrary code execution on affected installations [ref_id=1][ref_id=2][ref_id=3][ref_id=4]. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) indicates the attack is over the network, requires low complexity, needs low-privilege authentication, and no user interaction [ref_id=1]. The exact payload shape and protocol are not disclosed in the advisories, but the impact is full compromise of confidentiality, integrity, and availability.
Affected code
The advisory does not specify the exact functions, files, or code paths at fault. The vulnerability exists in multiple Micro Focus products including Data Center Automation, Universal CMDB, Hybrid Cloud Management, and Service Management Automation (SMA) [ref_id=1][ref_id=2][ref_id=3][ref_id=4]. For SMA, the bulletin notes the issue resides in "embedded CMS container images" [ref_id=4]. No patch diff or source-level detail is provided in any of the referenced advisories.
What the fix does
No patch diff is published. Micro Focus provides separate mitigation articles per product: for DCA 2019.08 and earlier, see KM03757990; for DCA 2019.11, see KM03747167 [ref_id=1]; for Universal CMDB, see KM03745376 [ref_id=2]; for Hybrid Cloud Management, see KM03744411 [ref_id=3]; for SMA, see KM03716045 [ref_id=4]. The advisories do not describe the technical changes that close the vulnerability.
Preconditions
- networkAttacker must have network access to the affected service
- authAttacker must authenticate as a valid application user
Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- packetstormsecurity.com/files/161182/Micro-Focus-UCMDB-Remote-Code-Execution.htmlmitrex_refsource_MISC
- packetstormsecurity.com/files/161366/Micro-Focus-Operations-Bridge-Manager-Remote-Code-Execution.htmlmitrex_refsource_MISC
- softwaresupport.softwaregrp.com/doc/KM03747657mitrex_refsource_MISC
- softwaresupport.softwaregrp.com/doc/KM03747658mitrex_refsource_MISC
- softwaresupport.softwaregrp.com/doc/KM03747854mitrex_refsource_MISC
- softwaresupport.softwaregrp.com/doc/KM03747948mitrex_refsource_MISC
- softwaresupport.softwaregrp.com/doc/KM03747949mitrex_refsource_MISC
- softwaresupport.softwaregrp.com/doc/KM03747950mitrex_refsource_MISC
- softwaresupport.softwaregrp.com/doc/KM03749879mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.