CVE-2005-2773

What is HP OpenView Network Node Manager?

HP OpenView Network Node Manager (NNM) was one of the dominant enterprise network management platforms of the 1990s and 2000s, widely deployed in large enterprise, telecommunications, and government networks. NNM used SNMP to discover, map, and monitor network devices — routers, switches, servers, and other infrastructure. It ran on HP-UX, Solaris, and Windows, and provided a web-based management interface for network operations. The NNM web interface exposed a variety of CGI scripts for administrative operations, which became a recurring source of serious vulnerabilities. HP eventually replaced NNM with HP Network Node Manager i (NNMi), but legacy NNM deployments persisted for years — and in some organizations, for decades.

Overview

CVE-2005-2773 is a critical remote code execution vulnerability (CVSS 9.8) in HP OpenView Network Node Manager. The vulnerability exists in the web-based management interface's CGI scripts, which allowed a remote unauthenticated attacker to execute arbitrary OS commands on the server hosting NNM. With no authentication required (CVSS: PR:N, UI:N), any network-accessible NNM installation was fully exploitable. HP patched the vulnerability in 2005. CISA added it to KEV in March 2022, nearly 17 years after disclosure, indicating continued exploitation of unpatched legacy NNM infrastructure.

Affected Versions

HP OpenView NNM reached end-of-life and is no longer supported. Organizations still running NNM should migrate to a supported network management solution.

Technical Details

The vulnerability exists in the CGI scripts bundled with HP OpenView NNM's web management interface. The NNM web server exposed CGI scripts for network management operations — topology discovery, node management, event processing, and administrative tasks. One or more of these CGI scripts accepted parameters from HTTP requests and passed them to operating system commands without adequate sanitization.

An attacker could:

1. Send an HTTP request to the NNM web management port (typically TCP 80 or 3443) with crafted parameters
2. The unsanitized input was passed to an OS command via shell invocation in the CGI handler
3. Command injection characters (semicolons, pipes, backticks, or subshell syntax) in the parameter caused the shell to execute attacker-supplied commands
4. Commands executed with the privileges of the web server process — typically a privileged account with broad system access on the NNM host

Because NNM was deployed to manage critical network infrastructure, the NNM server typically had network access to all managed devices, making it a high-value pivot point for attackers gaining access.

Discovery

Reported to HP through vulnerability disclosure channels in 2005. Command injection vulnerabilities in CGI-based web management interfaces were widespread during this era — the combination of shell scripting, CGI, and Perl used in many management platforms of the late 1990s and early 2000s created systemic injection risks. HP OpenView NNM had several CGI vulnerabilities discovered over its lifetime.

Exploitation Context

HP OpenView NNM was a prime target because of its network position and access:

• Network management value: An NNM server has SNMP read/write community strings and SSH/Telnet credentials for every managed device. Compromising NNM meant compromising the management plane of the entire network.
• Legacy persistence: Large enterprises and government agencies that deployed NNM in the 2000s sometimes continued running unpatched versions on isolated management networks, believing air-gapping provided adequate protection.
• Pivot to infrastructure: From a compromised NNM server, an attacker could pivot to all managed network devices, enabling traffic interception, configuration changes, or further lateral movement.
• CISA 2022 KEV batch: NNM was added alongside other historical network management vulnerabilities in March 2022, reflecting intelligence of targeted attacks against legacy management infrastructure.

Remediation

1. Decommission HP OpenView NNM: HP OpenView NNM is end-of-life with no vendor support. Replace with a modern, supported network management platform (e.g., SolarWinds NPM, PRTG, Zabbix, or open-source alternatives).
2. Apply available patches: If replacement is not immediately possible, apply all available HP security patches for the installed NNM version.
3. Firewall the management interface: Restrict access to the NNM web management port to authorized management workstations only — NNM should never be internet-accessible.
4. Audit SNMP community strings: Rotate all SNMP community strings stored in or accessible via NNM, as any compromise of the NNM host may have exposed these credentials.
5. Review network access logs: If NNM was unpatched, investigate for signs of exploitation — unexpected command execution, unauthorized SNMP configuration changes, or outbound connections from the NNM host.