HOMEVULNERABILITIESCVE-2018-9068
HIGH

CVE-2018-9068

CWE-798Published: July 26, 2018· Updated: Jun 17, 2026

7.5
CVSS v3.1

Official Description

The IMM2 First Failure Data Capture function collects management module logs and diagnostic information when a hardware error is detected. This information is made available for download through an SFTP server hosted on the IMM2 management network interface. In versions earlier than 4.90 for Lenovo System x and earlier than 6.80 for IBM System x, the credentials to access the SFTP server are hard-coded and described in the IMM2 documentation, allowing an attacker with management network access to obtain the collected FFDC data. After applying the update, the IMM2 will create random SFTP credentials for use with OneCLI.

NVD Source

Technical Analysis

CVE-2018-9068 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.

The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.

A successful exploit results in complete confidentiality breach (data exposure), with a CVSS base score of 7.5.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorNetwork
Attack ComplexityLow
Privileges Req.None
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityHigh
IntegrityNone
AvailabilityNone
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Vendors & Products

IBM56 product(s)
bladecenter hs22 firmwarebladecenter hs22bladecenter hs23 firmwarebladecenter hs23bladecenter hs23e firmwarebladecenter hs23eflex system x220 m4 firmwareflex system x220 m4flex system x222 m4 firmwareflex system x222 m4flex system x240 m4 firmwareflex system x240 m4+44
Lenovo28 product(s)
flex system x240 m4 firmwareflex system x240 m4flex system x240 m5 firmwareflex system x240 m5flex system x280 x6 firmwareflex system x280 x6flex system x440 m4 firmwareflex system x440 m4flex system x480 x6 firmwareflex system x480 x6flex system x880 firmwareflex system x880+16
Source: NVD CPE · 84 total CPE entries

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

Official Patches & Advisories

All References (2)

Quick Facts

CVE IDCVE-2018-9068
CVSS Score7.5 / 10
SeverityHIGH
WeaknessCWE-798
CISA KEVNo
Affected2 vendor(s)
PublishedJul 26, 2018

Related CVEs (CWE-798)

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2018-9068 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.