Tuesday, May 6, 2025
HomeCVE/vulnerability6-year-old Lighttpd Flaw Impacts Intel And Lenovo Servers

6-year-old Lighttpd Flaw Impacts Intel And Lenovo Servers

Published on

SIEM as a Service

Follow Us on Google News

The software supply chain is filled with various challenges, such as untracked security vulnerabilities in open-source components and inconsistent update uptake. 

The lighttpd vulnerability was silently fixed in 2018 without any CVE assignment in a single instance of vulnerability detection.

As a result, critical security patches are often lost on downstream software that relies on these elements.

- Advertisement - Google News

Consequently, it is very difficult to trace every modification for possible problems without designated security advisories and CVE assignments, which creates gaps in vulnerability management across the supply chain.

Binary cybersecurity researchers recently discovered that Lighttpd, a 6-year-old security flaw, has impacted Intel and Lenovo servers.

6-year-old Lighttpd Flaw

While studying BMC safety, Binarly encountered a heap out-of-bounds read vulnerability (BRLY-2024-002) in the Lighttpd module of a discontinued Intel Server System product. 

The unpatched flaw, which was fixed silently multiple years ago without CVE, would not be addressed as it was no longer under support. 

This complexity and insecurity of firmware and software supply chains are well illustrated by the existence of vulnerabilities in third-party components that are left isolated for years, leading to long-term risks with destructing consequences for different sectors. 

Document
Stop Advanced Phishing Attack With AI

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Stopping 99% of phishing attacks missed by other email security solutions. .

While the expected life cycle reactions make sense, there is an underlying issue regarding ungoverned exposures in the supply chain that needs to be addressed promptly by taking proactive measures.

The finding also shows contradictions in the firmware supply chain, as some of the latest versions contain outdated third-party components that create additional risks for users.

Further research confirmed that Lenovo BMC firmware for HX3710, HX3710-F, and HX2710-E servers was similarly affected by this vulnerability.

Like Intel, their response noted that these servers had become end-of-life, making it difficult to release future security updates.

Coverages (Source – Binarly)

This situation highlights a more general problem of unpatched vulnerabilities in older products caused by the complexity of firmware supply chains and lifecycle management.

The silent fix does not include an advisory or CVE identifier to facilitate patch management processes that further complicate the problem. 

No prompt, significant information on security fixes makes effective handling of firmware and software supply chains impossible. 

Binary assigned identifiers BRLY-2024-002 and BRLY-2024-003 for the affected Intel and Lenovo BMC firmware, while BRLY-2024-004 was given to the vulnerable Lighttpd build.

This indicates that better vulnerability disclosure and coordination are required across the complicated supply chain ecosystem.

Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-Second Assessment.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Hackers Exploit Fake Chrome Error Pages to Deploy Malicious Scripts on Windows Users

Hackers are leveraging a sophisticated social engineering technique dubbed "ClickFix" to trick Windows users...

New ClickFix Attack Imitates Ministry of Defence Website to Target Windows & Linux Systems

A newly identified cyberattack campaign has surfaced, leveraging the recognizable branding of India's Ministry...

Threat Actor Evades SentinelOne EDR to Deploy Babuk Ransomware

Aon’s Stroz Friedberg Incident Response Services has uncovered a method used by a threat...

Samsung MagicINFO 9 Server Vulnerability Actively Exploited in the Wild

A critical security vulnerability in the Samsung MagicINFO 9 Server has come under active...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Hackers Exploit Fake Chrome Error Pages to Deploy Malicious Scripts on Windows Users

Hackers are leveraging a sophisticated social engineering technique dubbed "ClickFix" to trick Windows users...

New ClickFix Attack Imitates Ministry of Defence Website to Target Windows & Linux Systems

A newly identified cyberattack campaign has surfaced, leveraging the recognizable branding of India's Ministry...

Threat Actor Evades SentinelOne EDR to Deploy Babuk Ransomware

Aon’s Stroz Friedberg Incident Response Services has uncovered a method used by a threat...