1. Home
  2. Web App Vulnerabilities
  3. How to remediate – HP Integrated Lights-Out (iLO) Default Credentials
Searching...

How to remediate – HP Integrated Lights-Out (iLO) Default Credentials

Contents

1. Introduction

HP Integrated Lights-Out (iLO) Default Credentials allows remote access to a server’s management interface using hardcoded usernames and passwords. This poses a critical risk as attackers can gain full control of the affected system without valid credentials. Systems commonly affected include HP ProLiant servers running iLO.

2. Technical Explanation

The remote HP Integrated Lights-Out (iLO) install uses default administrative credentials (‘Admin’ / ‘Admin’ or ‘Oper’ / ‘Oper’) to control access to its management interface. An attacker can exploit this by directly attempting to log in with these known credentials. This is a common vulnerability due to the ease of use and wide availability of tools for brute-force attacks.

  • Root cause: Use of weak, default administrative credentials on iLO web interface.
  • Exploit mechanism: An attacker attempts to connect to the iLO management interface via HTTP or HTTPS and uses the default ‘Admin’ / ‘Admin’ or ‘Oper’ / ‘Oper’ credentials for authentication. Successful login grants full control over the server’s remote management capabilities.
  • Scope: HP ProLiant servers with integrated Lights-Out (iLO) functionality.

3. Detection and Assessment

  • Quick checks: Access the iLO web interface (usually via server’s IP address in a browser) and check the ‘About’ section for the iLO firmware version.
  • Scanning: Nessus plugin ID 10429 can detect this vulnerability. Other scanners may have similar plugins.
  • Logs and evidence: Check web server logs for login attempts using default credentials. Look for failed login events from various source IPs.
# No command available to directly check iLO credentials remotely, interface access is required.

4. Solution / Remediation Steps

Fix the issue by changing the default login credentials on the iLO management interface.

4.1 Preparation

  • Dependencies: Access to the iLO web interface with administrative privileges. Roll back plan: Restore from backup if issues occur.
  • Change window needs: Standard maintenance window recommended, approval may be needed based on internal policy.

4.2 Implementation

  1. Step 1: Log in to the iLO web interface using the default credentials (‘Admin’ / ‘Admin’ or ‘Oper’ / ‘Oper’).
  2. Step 2: Navigate to ‘Users and Roles’ under ‘Account’.
  3. Step 3: Select the ‘Admin’ user.
  4. Step 4: Change the password for the ‘Admin’ user to a strong, unique password.
  5. Step 5: Repeat steps 3 & 4 for the ‘Oper’ user if it exists.
  6. Step 6: Log out and verify access with the new credentials.

4.3 Config or Code Example

Before

Username: Admin
Password: Admin

After

Username: Admin
Password: <YourStrongNewPassword>

4.4 Security Practices Relevant to This Vulnerability

List only practices that directly address this vulnerability type. Use neutral wording and examples instead of fixed advice.

  • Practice 1: Safe defaults – avoid using default credentials for any system or service.
  • Practice 2: Least privilege – limit access to sensitive systems and services based on the principle of least privilege.

4.5 Automation (Optional)

No suitable automation script is available due to the interface-based nature of this change.

5. Verification / Validation

  • Post-fix check: Attempt to log in to the iLO web interface using ‘Admin’ / ‘Admin’. The login should fail.
  • Re-test: Repeat step 1 from section 3, which should no longer show successful default credential logins.
  • Smoke test: Verify remote console access and server health monitoring functionality work as expected with the new credentials.
# No command available to directly check iLO credentials remotely, interface access is required.

6. Preventive Measures and Monitoring

Suggest only measures that are relevant to the vulnerability type.

  • Baselines: Update security baselines or policies to enforce strong password requirements for all systems.
  • Pipelines: Implement configuration management tools to automatically detect and remediate default credentials.
  • Asset and patch process: Regularly review asset inventories and ensure timely patching of iLO firmware.

7. Risks, Side Effects, and Roll Back

List known risks or service impacts from the change. Give short roll back steps.

  • Risk or side effect 1: Incorrect password configuration may lock out access to the iLO interface. Mitigation: Document the new credentials securely.
  • Roll back: Restore the iLO configuration from the backup created in step 1 of section 4.1.

8. References and Resources

Link only to sources that match this exact vulnerability.

Updated on December 27, 2025

Was this article helpful?

Yes No

Related Articles