Published:2021/01/04  Last Updated:2021/01/12

Multiple NEC Products vulnerable to authentication bypass


Multiple NEC Products contain authentication bypass vulnerability in RMCP connection using IPMI over LAN.

Products Affected

The following products which Baseboard Management Controller (BMC) firmware Rev1.09 and earlier is applied, are affected.

  • Express5800/T110j
  • Express5800/T110j-S
  • Express5800/T110j (2nd-Gen)
  • Express5800/T110j-S (2nd-Gen)
  • iStorage NS100Ti
  • Express5800/GT110j


In Intelligent Platform Management Interface (IPMI) v1.5, Remote Management Control Protocol (RMCP) to access BMC through LAN is prescribed.

Multiple NEC products which conduct RMCP access using IPMI over LAN contain an issue in implementations of the BMC firmware and when accessing BMC through RMCP using LAN, unauthorized session may be established.


A logged-in remote attacker may obtain/modify BMC setting information, obtain monitoring information or reboot/shut down the product.


Do not use IPMI over LAN at products
It is recommended to stop using IPMI over LAN in the products.
IPMI 2.0 contains a known vulnerability (CVE-2013-4786) where the password hashes may be obtained. Therefore, disable IPMI over LAN in the products to avoid the effects of this vulnerability.
According to the developer, IPMI over LAN is enabled by default in the affected products, but would not function if LAN cable is not connected to BNC LAN port.

Apply a Workaround
If the product's IPMI over LAN must be used, apply following workaround to mitigate the effects of this vulnerability.

  • Apply BMC firmware Rev1.10 or later, which this vulnerability is addressed, and use the product only in a safe intranet protected by a firewall and do not connect the BMC to the Internet.

Vendor Status

Vendor Status Last Update Vendor Notes
NEC Corporation Vulnerable 2021/01/12


JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Base Score: 5.3
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
Base Score: 5.0
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)


NEC Corporation reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and NEC Corporation coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Reports
CERT Advisory
CPNI Advisory
CVE CVE-2020-5633
JVN iPedia JVNDB-2021-000002

Update History

NEC Corporation update status
Information under the section "Products Affected" was updated.
NEC Corporation update status