Admins who manage systems with HP Device Manager should update the software as soon as possible. In the current versions, the developers have closed three security loopholes.
One vulnerability (CVE-2020-6926) is rated threat level "critical" . In a warning HP writes that remote attackers could access unspecified resources after a successful attack. The details of how the attacks were carried out are not clear from the warning. HP strongly advises admins to update the software to the latest secure state.
Attackers with system privileges
The threat posed by the other two vulnerabilities (CVE-2020-6925, CVE-2020-6927) is rated as "high" provided. Due to a flawed cipher implementation, attackers were able to hijack systems with wordbook attacks. Successful exploitation of the third vulnerability could lead to system privilege attacks.
If Active Directory authenticated accounts are used, systems are not affected by the vulnerability with the identifier CVE-2020-6925. The same applies to CVE-2020-6927 if an external database (Microsoft SQL Server) is running and the internal Postgres services are not installed.
The version HP Device Manager 5.0.4 is secured. The repaired edition HP Device Manager 4.7 Service Pack 13 should follow soon. Those who use the 4.7 version should follow the workarounds in the warning message to secure their systems. These include sealing off the outside world so that only trusted IP addresses are allowed to access ports 1099 and 40002.