HOMEVULNERABILITIESCVE-2021-26581
MEDIUM

CVE-2021-26581

NVD-CWE-noinfoPublished: April 1, 2021· Updated: Jun 17, 2026

6.5
CVSS v3.1

Official Description

A potential security vulnerability has been identified in HPE Superdome Flex server. A denial of service attack can be remotely exploited leaving hung connections to the BMC web interface. The monarch BMC must be rebooted to recover from this situation. Other BMC management is not impacted. HPE has made the following software update to resolve the vulnerability in HPE Superdome Flex Server: Superdome Flex Server Firmware 3.30.142 or later.

NVD Source

Technical Analysis

CVE-2021-26581 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.

Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in availability disruption (denial of service), with a CVSS base score of 6.5.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorNetwork
Attack ComplexityLow
Privileges Req.Low
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityNone
IntegrityNone
AvailabilityHigh
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected Vendors & Products

hpe2 product(s)
superdome flex server firmwaresuperdome flex server
Source: NVD CPE · 2 total CPE entries

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

Official Patches & Advisories

All References (2)

Quick Facts

CVE IDCVE-2021-26581
CVSS Score6.5 / 10
SeverityMEDIUM
CISA KEVNo
Affected1 vendor(s)
PublishedApr 1, 2021

Related CVEs (NVD-CWE-noinfo)

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2021-26581 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.