CVE-2022-28640 is a high-severity vulnerability affecting Hewlett Packard Enterprise's Integrated Lights-Out 5 (iLO 5) management firmware, specifically versions prior to 2.72. iLO 5 is a widely used out-of-band management interface embedded in HPE servers, enabling administrators to remotely manage and monitor server hardware independently of the operating system. The vulnerability is characterized as a potential local adjacent arbitrary code execution flaw, classified under CWE-94 (Improper Control of Generation of Code). This suggests that an attacker with local adjacent network access could exploit the flaw to execute arbitrary code on the iLO 5 management processor. The CVSS 3.1 base score of 8.8 indicates a high impact, with the vector string AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H meaning the attack requires adjacent network access (e.g., same subnet), low attack complexity, no privileges or user interaction needed, and results in high confidentiality, integrity, and availability impacts. Successful exploitation could allow an attacker to fully compromise the iLO 5 management controller, potentially leading to unauthorized disclosure of sensitive information, manipulation or disruption of server management functions, and denial of service. Since iLO 5 operates independently of the host OS, compromise of iLO can provide persistent and stealthy control over server hardware. Hewlett Packard Enterprise has released firmware updates (version 2.72 and later) to address this vulnerability. No known exploits in the wild have been reported as of the publication date (September 20, 2022), but the critical nature of the flaw and the privileged access it grants make timely patching essential. The vulnerability's local adjacent network attack vector means that attackers must have network access to the iLO interface, which is often segregated but sometimes exposed for remote management, increasing risk if network segmentation is insufficient.

For European organizations, the impact of CVE-2022-28640 can be significant, especially for enterprises relying on HPE servers with iLO 5 for critical infrastructure. Compromise of iLO 5 could lead to unauthorized control over server hardware, enabling attackers to bypass operating system security controls, access sensitive data, manipulate server configurations, or disrupt availability of essential services. This could affect sectors such as finance, healthcare, government, and telecommunications, where HPE servers are prevalent and data confidentiality and service availability are paramount. Additionally, the ability to execute arbitrary code on the management controller could facilitate lateral movement within networks, undermining network segmentation and increasing the risk of broader compromise. Given the GDPR and other stringent data protection regulations in Europe, any breach resulting from this vulnerability could lead to regulatory penalties and reputational damage. The vulnerability's exploitation could also impact cloud service providers and data centers operating in Europe that utilize HPE hardware, potentially affecting multiple customers and services.

European organizations should immediately verify the firmware version of all HPE iLO 5 interfaces and upgrade to version 2.72 or later to remediate this vulnerability. Beyond patching, organizations should enforce strict network segmentation to isolate iLO interfaces from general user networks and the internet, limiting access only to trusted administrative hosts. Implementing access control lists (ACLs) and VPNs for remote management access can reduce exposure. Monitoring network traffic to and from iLO interfaces for anomalous activity can help detect potential exploitation attempts. Organizations should also review and harden iLO user credentials, disable unused management features, and ensure logging and alerting are enabled for iLO access events. Regular vulnerability scanning and penetration testing should include checks for outdated iLO firmware. Finally, organizations should maintain an inventory of all HPE servers and their management interfaces to ensure comprehensive coverage of mitigation efforts.