Every vulnerability was discovered during an authorized internal assessment of a modern H3C CAS deployment on UniServer hardware with detection commands, impact analysis, PoCs, and remediation steps for fellow pentesters.

In early 2026 I performed an authorized external penetration test against a large-scale private cloud built on H3C CAS (Cloud Automation System) running on contemporary UniServer R4900G6 and R4300G6 hardware.

The environment consisted of compute nodes, storage nodes, CVM management hosts, and backup systems

all behind standard enterprise firewalls. The write-up is partially redacted (no IPs, hostnames, or client identifiers). for legal reasons

my goal is to equip other pen testers with exact detection methods and to help defenders understand the real-world risks of common H3C deployment patterns in 2026.

Vulnerability Summary • 5 Critical • 13 High • 12 Medium • 1 Low • 1 Informational

Critical Findings (Fix These First)1. Critical Infrastructure Risk — End-of-Life Operating System (CVSS 9.8) Multiple hypervisor and management hosts were running CentOS 7 (kernel 3.10 series) on brand-new 2024–2025 hardware.

CentOS 7 reached EOL on 30 June 2024.Detection (Pen tester Commands)

cat /etc/os-release
uname -r
# or via nmap
nmap -p22 --script ssh-hostkey target

Impact Any new kernel CVE after June 2024 is unpatchable.

Full root access becomes permanent zero-day.Remediation Migrate immediately to AlmaLinux 9, Rocky Linux 9, or RHEL 9. Use Leapp for in-place upgrade where possible.

2. Outdated OpenSSH 8.8 (RegreSSHion CVE-2024–6387 + Terrapin CVE-2023–48795) (CVSS 9.5) A complete management subnet (9+ hosts) was running OpenSSH

8.8.Detection

nmap -p22 -sV --script ssh2-enum-algos target
ssh -v target 2>&1 | grep OpenSSH

Impact RegreSSHion allows unauthenticated remote root on glibc systems. Terrapin enables MitM and downgrade attacks.

Wormable across the entire management plane.Remediation Upgrade to OpenSSH 9.8+ and disable weak ciphers/algorithms in sshd_config.

3. Unified Management Platform ("God Node") (CVSS 9.5)

All control planes (compute, storage, SDN, user access) are managed by a single CVM node that also acts as the

Detection Look for a single host exposing both external-facing ports (HTTPS, VNC 5900 range) and internal management IPs.

Test if you can reach backend hypervisors via the proxy.

Impact Single point of total compromise. One vulnerability in the full cluster takeover and ability to delete volumes, reconfigure SDN, and console into any VM.

Remediation Decouple management planes.

4. Unauthenticated Jaeger Tracing Interface (CVSS 9.4) Jaeger UI exposed on port 16686 with no authentication on multiple management hosts.Detection

curl -I http://target:16686/jaeger/search

If you get the search interface → critical.Impact Full visibility into internal API calls, auth tokens, SQL queries, and microservice architecture.

Remediation Require authentication + IP whitelisting. Disable in production or place behind VPN.5. Unauthenticated Management API (Likely OpenStack Glance / Redfish / BMC) (CVSS 9.4) Multiple unauthenticated management APIs (Redfish, BMC configuration, potential OpenStack Glance) exposed.

Detection

curl -k https://target/redfish/v1/Systems
curl -k https://target:8443/redfish/v1

Technical Findings:

• Redfish API Exposure: Unauthenticated access is permitted to /redfish/v1/ Systems/1 , /Managers/1 , and /AccountService . • Configuration File Leak: The endpoint /cc/bmc_cc.xml is accessible without authentication, acting as a "cheat sheet" for system logic, service enumeration

(VNC, KVM, SNMP), and error-handling routines. • Weak Security Policy: The AccountService reveals a dangerously low lockout duration (5 seconds) and a 5-attempt threshold, enabling highly efÏcient, automated brute-force attacks.

Exfiltrated Sensitive Data: • Hardware Identity: Manufacturer (H3C), Model (R4900 G6), Serial Numbers, and UUIDs.

• Firmware Versions: BMC Firmware (1.83), BIOS (6.10.53), and ME Version (6.1.4.89), allowing for targeted CVE exploitation. • Network Metadata: MAC addresses for LOM ports and Broadcom interfaces, facilitating Layer 2 attacks (ARP poisoning/spoofing).

• Operational Intel: Exposure of RAID configurations, LDAP/AD integration status, and physical security triggers (Security Bezel monitoring).

Impact: The CVSS score for this finding is 8.9. This vulnerability allows for precision exploit targeting, optimized brute-force attacks, and high-level social engineering/RMA

All High Severity Findings (13)

6. Unauthenticated Information Disclosure (Redfish API & BMC Configuration) Detection: Same Redfish curl commands above. Impact: Sensitive hardware config, serial numbers, firmware versions. Fix: Currently there is no fix for this yet since its a design flaw

7. Undocumented API Endpoints with Plaintext Authentication Detection: Directory brute-force on management ports + look for /api/ or undocumented paths. Impact: Easy credential theft. Fix: Remove or secure undocumented endpoints.

8. Unhandled Exception in Authentication Flow (Internal Server Error) Detection: Fuzz login endpoints and watch for stack traces. Impact: Information disclosure + potential bypass. Fix: Proper error handling.

9. Client-Side Enforcement of Account Lockout Detection: Brute-force login and observe that lockout only happens client-side. Impact: Unlimited password spraying. Fix: Server-side lockout + rate limiting.

10. IPMI 2.0 RAKP Password Hash Disclosure Detection: ipmitool lan print or dedicated IPMI tools. Impact: Offline cracking of passwords. Fix: Upgrade IPMI firmware and disable RMCP+ where possible. or limit to access so only servers can access it

11. Compute Node Multi-Plane Access Detection: Traceroute and routing analysis between user and management networks. Impact: admin is required to make vms so all infra teams have full admin Fix: implement proper acl

12. Exposed Kiali Console with Vulnerable Components Detection: Port scan for Kiali default port (20001). Impact: Service mesh visibility + vulnerable JS libraries. Fix: Authenticate and update Kiali.

13. Improper Restriction of Excessive Authentication Attempts (KVM API) Detection: Hydra/Medusa against KVM API endpoints. Impact: Brute-force possible. Fix: Implement proper rate limiting.

14. Unauthenticated WebSocket Telemetry Leak Detection: Connect to WebSocket endpoints without auth. Impact: Real-time system telemetry leakage. Fix: Require authentication on all WebSocket services.

15. Known Vulnerabilities in Client-Side Dependencies (Vue.js & Ace) Detection: retire.js or browser dev tools. Impact: XSS/CSRF via outdated JS. Fix: Update all frontend dependencies.

16. RPCBind Service Exposure (Port 111) Detection: rpcinfo -p target Impact: NFS enumeration + potential exploits. Fix: Disable or firewall RPCBind.

17. Unauthenticated & Unencrypted VNC Services Detection: nmap -p5900–5909 Impact: Direct console access. Fix: Require TLS + authentication.

18. Vulnerable Legacy Web Service Detection: Version scan on old web ports. Impact: Known RCEs. Fix: Decommission or patch.

All Medium, Low & Info Findings (Summary with Quick Guidance)Medium (12)

  • Cryptographic Implementation Flaws → Audit TLS configs with testssl.sh
  • Inadequate Input Validation (RegEx Bypass & Logic Flaws) → Fuzz all inputs
  • Insecure Backup Server Integration → Test backup access
  • Transmission of Credentials via URL Query Parameters → Check all GET requests
  • Proprietary Asset & Directory Structure Leakage → Directory brute
  • Undocumented Hidden Nginx Endpoint (Port 10250) → Block kubelet-style ports
  • Absent Web Application Firewall → Deploy WAF
  • Open DNS Recursive Resolver → Disable recursion
  • Undocumented "Shadow" API Endpoints → Full API enumeration
  • Active Telnet Services → Disable immediately
  • Outdated Out-of-Band Management Firmware (HDM2) → Update BMC firmware
  • Legacy Cleartext Protocol Exposure (FTP) → Switch to SFTP

Low

  • Weak SSH Encryption Algorithms → Update sshd_config

Informational

  • Outdated Third-Party Component (core-js) + Unlimited Username Input Length → Update libraries & add length limits

Pentester Playbook — Quick Checklist for H3C Environments (2026)

  1. Always start with OS & SSH version checks on every host.
  2. Map the management plane — look for "God Node" consolidation.
  3. Scan high ports (16686 Jaeger, 20001 Kiali, Redfish, 5900 VNC).
  4. Test every proxy/bridge for unauthorized pivoting.
  5. Run full nmap -p- -sV — script vuln + testssl.sh on management ranges.

Final Advice to Defenders

  • Treat management networks as a new perimeter.
  • Enforce strict OS lifecycle policies.
  • Never bridge user and management networks without zero-trust controls.
  • Schedule quarterly external pentests.

This environment was production — these issues exist in real deployments today. around the world in real h3c server you can see hundreds of thousands of these servers using shodan

Stay safe, test thoroughly, and patch relentlessly.Published anonymously for the community February 2026

#Pentest #RedTeam #H3C #CloudSecurity #Cybersecurity