CVE-2020-26122

Name: CVE-2020-26122
Creator: NVD / NIST
Published: 2020-12-07T16:15:12.027+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.2/10EPSS 1.16%

Last modified Jun 17, 2026

CVE-2020-26122 is a high-severity vulnerability rated 7.2/10 on the CVSS scale. Inspur NF5266M5 through 3.21.2 and other server M5 devices allow remote code execution via administrator privileges. The Baseboard Management Controller (BMC) program of INSPUR server is weak in checking the firmware and lacks the signature verification mechanism, the attacker who obtains the administrator's rights can control the BMC by inserting malicious code into the firmware program and bypassing the current verification mechanism to upgrade the BMC.. EPSS estimates a 1.16% chance of exploitation in the next 30 days.

Description

Inspur NF5266M5 through 3.21.2 and other server M5 devices allow remote code execution via administrator privileges. The Baseboard Management Controller (BMC) program of INSPUR server is weak in checking the firmware and lacks the signature verification mechanism, the attacker who obtains the administrator's rights can control the BMC by inserting malicious code into the firmware program and bypassing the current verification mechanism to upgrade the BMC.

Metrics

CVSS 3.1

7.2/10

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

1.16%

63.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-347

Affected Software

Vendor	Product	Versions
Inspur	Nf8480m5 Firmware	< 1.19.34
Inspur	Nf8260m5 Firmware	< 1.19.34
Inspur	Ns5162m5 Firmware	< 4.5.3
Inspur	Ns5488m5 Firmware	< 1.19.33
Inspur	Ns5484m5 Firmware	< 1.19.33
Inspur	Ns5482m5 Firmware	< 1.19.33
Inspur	Nf5280m5 Firmware	< 4.26.6
Inspur	Nf5468m5 Firmware	< 1.18.51
Inspur	Nf5488m5-D Firmware	< 1.18.51
Inspur	Nf5180m5 Firmware	< 4.18.2
Inspur	Nf5270m5 Firmware	< 4.9.1
Inspur	Nf5260m5 Firmware	< 3.8.0
Inspur	Nf5266m5 Firmware	< 3.21.3
Inspur	Nf5466m5 Firmware	< 4.28.0
Inspur	Nf5486m5 Firmware	< 3.22.0

References

https://en.inspur.com/en/2487134/index.htmlBroken Link
https://en.inspur.com/en/security_bulletins/security_advisory2/2543921/index.htmlVendor Advisory
https://en.inspur.com/en/2487134/index.htmlBroken Link
https://en.inspur.com/en/security_bulletins/security_advisory2/2543921/index.htmlVendor Advisory

Timeline

Published: Dec 7, 2020
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2020-26122?

How severe is CVE-2020-26122?

CVE-2020-26122 has a CVSS score of 7.2/10 (HIGH severity). The EPSS model estimates a 1.16% probability of exploitation in the next 30 days.

How do I fix CVE-2020-26122?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2020-26122?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST