JVNVU#95177764
"iRMC S5/S6" implemented in PRIMERGY vulnerable to incorrect authorization
Overview
Remote Management Controller "iRMC S5/S6" implemented in PRIMERGY provided by Fsas Technologies Inc. contains an incorrect authorization vulnerability.
Products Affected
Multiple products implementing Remote Management Controller "iRMC S5/S6" are affected by the vulnerability.
As for the details of affected products, refer to the information provided by the developer.
Note that "iRMC S4" is not affected by the vulnerability.
Description
Remote Management Controller "iRMC S5/S6" implemented in PRIMERGY provided by Fsas Technologies Inc. contains the following vulnerability.
- Incorrect authorization (CWE-863, CVE-2025-65002)
- This can be exploited only when users with Redfish roles other than "Administrator" in Redfish/WebUI privileges who use a 16 character username
Impact
A user with privileges other than “Administrator” may be able to access the Web UI or use the Redfish API beyond the intended privilege level.
Solution
Update the Software
Update the software to the latest version according to the information provided by the developer.
Apply the workaround
Until the software is updated, applying the following workaround is recommended to mitigate the impact of the vulnerability.
- Set the username for users registering with iRMC to 15 characters limit
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| Fsas Technologies Inc. | Vulnerable | 2026/01/22 | Fsas Technologies Inc. website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Fsas Technologies Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.