Arbitrary code execution vlnerability in Operation bridge Manager, Application Performance Management and Operations Bridge (containerized) products.
Description
CVE-2020-11854 allows remote, unauthenticated attackers to execute arbitrary code on Micro Focus OBM, OB (containerized), and APM via a hard-coded diagnostics account.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2020-11854 allows remote, unauthenticated attackers to execute arbitrary code on Micro Focus OBM, OB (containerized), and APM via a hard-coded diagnostics account.
Vulnerability
The vulnerability resides in the authentication mechanism of Micro Focus Operations Bridge Manager (OBM), Operations Bridge (containerized), and Application Performance Management (APM) products. The affected versions include OBM versions 2020.05, 2019.11, 2019.05, 2018.11, 2018.05, 10.63, 10.62, 10.61, 10.60, 10.12, 10.11, 10.10, and all earlier versions; Operations Bridge (containerized) versions 2020.05, 2019.08, 2019.05, 2018.11, 2018.08, 2018.05, 2018.02, and 2017.11; and APM versions 9.51, 9.50, and 9.40 with uCMDB 10.33 CUP 3 [1][2][3]. The flaw involves the use of a hard-coded password for a diagnostics user account, allowing arbitrary code execution through network access [4].
Exploitation
An attacker can exploit this vulnerability remotely without any authentication or user interaction. The attack requires network access to the OBM application [1][2][3]. The specific flaw is the presence of a hard-coded password for the diagnostics user account; an attacker leverages this account to gain access [4]. No additional privileges or special conditions are necessary beyond network connectivity to the affected service.
Impact
Successful exploitation allows a remote, unauthenticated attacker to execute arbitrary code in the context of SYSTEM on the affected host [4]. This results in full compromise of confidentiality, integrity, and availability (CIA) of the system. The CVSS v3 base score for this vulnerability is 9.8 (Critical), with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [4].
Mitigation
Micro Focus has released security patches for the affected products. For Operations Bridge (containerized), refer to document KM03747854 [1]; for Operation Bridge Manager, refer to KM03747658 [2]; and for Application Performance Management, refer to KM03747657 [3]. Users should apply the latest fixed versions as indicated in the respective advisories. No workarounds are documented in the available references. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
6<=2020.05+ 1 more
- (no CPE)range: <=2020.05
- (no CPE)range: 2020.05
- Range: 9.40, 9.50, 9.51
- Range: <=2020.05
- Micro Focus/Application Performance Managementv5Range: 9.51
- Micro Focus/Operation Bridge Managerv5Range: 2020.05
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"An unspecified vulnerability in Micro Focus Application Performance Management allows remote unauthenticated code execution."
Attack vector
An unauthenticated remote attacker with network access to the APM application can trigger arbitrary code execution. The CVSS v3 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating no privileges or user interaction are required [ref_id=1]. The advisory does not describe the specific payload shape or protocol used.
Affected code
The advisory does not specify particular functions, files, or code paths. It only identifies the affected products: Micro Focus Application Performance Management versions 9.51, 9.50, and 9.40 (with uCMDB 10.33 CUP 3), as well as Operation Bridge Manager and Operations Bridge (containerized) across numerous versions [ref_id=1].
What the fix does
Micro Focus directs customers to a separate knowledge base article (KM03745333) for the resolution [ref_id=1]. The advisory does not include a patch diff or describe the code changes. No further technical details about the fix are provided in the available reference.
Preconditions
- networkNetwork access to the APM application
Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- packetstormsecurity.com/files/161182/Micro-Focus-UCMDB-Remote-Code-Execution.htmlmitrex_refsource_MISC
- softwaresupport.softwaregrp.com/doc/KM03747657mitrex_refsource_MISC
- softwaresupport.softwaregrp.com/doc/KM03747658mitrex_refsource_MISC
- softwaresupport.softwaregrp.com/doc/KM03747854mitrex_refsource_MISC
- www.zerodayinitiative.com/advisories/ZDI-20-1287/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.