Threat Advisory

IBM Power HMC Flaw Lets Unauthenticated Attackers Run Arbitrary Commands

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Critical
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

A critical OS command injection flaw, tracked as CVE-2026-12943 with a CVSS score of 9.8, was disclosed in the IBM Power Hardware Management Console (HMC). This vulnerability allows unauthenticated attackers to run arbitrary commands, compromising the management system's ability to validate user-supplied input properly, resulting in remote attackers gaining full administrative control without valid user credentials. The HMC controls managed systems and logical partitions, handles Capacity on Demand features for server hardware, and communicates with managed systems to detect and consolidate critical information, posing a massive risk to global enterprise networks that rely on these services. Specifically, the vulnerability impacts specific versions of the console software, including HMC V10.3.1050.0 through V10.3.1064.0 and HMC V11.1.1110.0 through V11.1.1112.0 in IBM Power environments running Novalink. The flaw involves a severe OS command injection weakness, classified as CWE-78, where the management system fails to validate user-supplied input properly, allowing attackers to send malicious input containing special command elements over the network that are processed directly as operating system commands. This enables remote attackers to gain full administrative control without valid user credentials, posing a significant threat to enterprise networks and emphasizing the need for immediate patch application to prevent unauthorized access.

RECOMMENDATION:

We recommend you to refer below link: https://www.ibm.com/support/pages/security-bulletin-power-hardware-management-console-update-being-released-address-cve-2026-12943[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

A critical OS command injection flaw, tracked as CVE-2026-12943 with a CVSS score of 9.8, was disclosed in the IBM Power Hardware Management Console (HMC). This vulnerability allows unauthenticated attackers to run arbitrary commands, compromising the management system's ability to validate user-supplied input properly, resulting in remote attackers gaining full administrative control without valid user credentials. The HMC controls managed systems and logical partitions, handles Capacity on Demand features for server hardware, and communicates with managed systems to detect and consolidate critical information, posing a massive risk to global enterprise networks that rely on these services. Specifically, the vulnerability impacts specific versions of the console software, including HMC V10.3.1050.0 through V10.3.1064.0 and HMC V11.1.1110.0 through V11.1.1112.0 in IBM Power environments running Novalink. The flaw involves a severe OS command injection weakness, classified as CWE-78, where the management system fails to validate user-supplied input properly, allowing attackers to send malicious input containing special command elements over the network that are processed directly as operating system commands. This enables remote attackers to gain full administrative control without valid user credentials, posing a significant threat to enterprise networks and emphasizing the need for immediate patch application to prevent unauthorized access.

RECOMMENDATION:

We recommend you to refer below link: https://www.ibm.com/support/pages/security-bulletin-power-hardware-management-console-update-being-released-address-cve-2026-12943[emaillocker id="1283"]

REFERENCES:

The following reports contain further technical details:

[/emaillocker]
crossmenu