VYPR
← All advisories
Unrated severityNVD Advisory· Published Apr 6, 2021· Updated Sep 17, 2024

ASUS BMC's firmware: command injection - Modify user’s information function

CVE-2021-28204

Description

The specific function in ASUS BMC’s firmware Web management page (Modify user’s information function) does not filter the specific parameter. As obtaining the administrator permission, remote attackers can launch command injection to execute command arbitrary.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

ASUS BMC firmware's web management page has a command injection vulnerability in the modify user function, allowing authenticated admin attackers to execute arbitrary commands.

Vulnerability

The ASUS BMC firmware's web management page contains a command injection vulnerability in the "Modify user's information" function. The specific parameter is not properly filtered, allowing injection of system commands. Affected firmware versions include Z10PR-D16 1.14.51, ASMB8-iKVM 1.14.51, and Z10PE-D16 WS 1.14.2 [1].

Exploitation

An attacker must first obtain administrator privileges on the BMC web interface. With network access to the management page, the attacker can send a crafted HTTP request to the vulnerable function, injecting arbitrary operating system commands via the unfiltered parameter [1].

Impact

Successful exploitation allows the attacker to execute arbitrary commands with the privileges of the BMC firmware. This can lead to full compromise of the BMC, potential access to the host system, and disclosure or modification of sensitive data [1].

Mitigation

ASUS has released fixed firmware versions: Z10PR-D16 1.16.1, ASMB8-iKVM 1.16.1, and Z10PE-D16 WS 1.16.1. Users should update to these versions immediately. No workaround is documented in the available reference [1].

References
  1. ASUS BMC's firmware: command injection - 修改用戶資訊功能

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

4
  • Supermicro/BMC firmwarellm-fuzzy
  • ASUS/BMC firmware for ASMB8-iKVMv5
    Range: 1.14.51
  • ASUS/BMC firmware for Z10PE-D16 WSv5
    Range: 1.14.2
  • ASUS/BMC firmware for Z10PR-D16v5
    Range: 1.14.51

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.