HP Device Manager is a popular software that allows IT administrators to manage their HP Thin Client devices. However, it has a backdoor database user account which can undermine the network security.
Founder of Cognitous Cyber Security, Nick Bloor, discovered that an insecure user account had been set-up by an HP Inc programmer in a database within HP Device Manager. He found that the account can be easily exploited by malicious users to achieve privilege escalation to gain unauthorized remote command execution as SYSTEM.
The issue with this flaw is that if a vulnerable installation of this device manager on a network can be reached, then a user can gain admin-level control of the machine, as well as the thin clients it controls. Bloor said that “anyone with access to a server where HP Device Manager is installed could use this user account to gain complete control over the server,” which qualifies as local privilege escalation. Bloor has confirmed that the vulnerability exists in the current version of HP Device Manager, but cannot confirm this on past versions. Since the incident, HP has released an advisory alert for customers.