Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-3661

A potential security vulnerability has been identified in certain HP Workstation BIOS (UEFI firmware) which may allow arbitrary code execution. HP is releasing firmware mitigations for the potential vulnerability.

Security Impact Summary

This vulnerability carries a HIGH severity rating with a CVSS v3.1 score of 8.4, requiring local system access to exploit with relatively low complexity without requiring user interaction and does not require pre-existing privileges . The vulnerability impacts confidentiality (data exposure), integrity (unauthorized modifications), and availability (service disruption) for affected systems. Impacting 40 products from hp, from hp, from hp and 37 others, organizations running these solutions should prioritize assessment and patching.

Historical Context

Reported in 2022, this vulnerability emerged during an era marked by increased sophistication in supply chain attacks, cloud infrastructure vulnerabilities, and software-as-a-service (SaaS) security challenges. Security practices during this period emphasized zero-trust architectures, container security, and API protection.

Published

2022-12-12T13:15:11.693

Last Modified

2025-04-29T05:15:40.660

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 8.4 (HIGH)

Weaknesses

Type: Primary
NVD-CWE-noinfo
Type: Secondary
CWE-94

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	hp	z1_all-in-one_g3_firmware	01.31	Yes
Hardware	hp	z1_all-in-one_g3	-	No
Operating System	hp	z2_mini_g3_firmware	01.83	Yes
Hardware	hp	z2_mini_g3	-	No
Operating System	hp	z2_mini_g4_firmware	01.08.01	Yes
Hardware	hp	z2_mini_g4	-	No
Operating System	hp	z2_mini_g5_firmware	01.03.00_rev_a	Yes
Hardware	hp	z2_mini_g5	-	No
Operating System	hp	z2_small_form_factor_g4_firmware	01.08.01	Yes
Hardware	hp	z2_small_form_factor_g4	-	No
Operating System	hp	z2_small_form_factor_g5_firmware	01.03.00_rev_a	Yes
Hardware	hp	z2_small_form_factor_g5	-	No
Operating System	hp	z2_small_form_factor_g8_firmware	01.03.00_rev_a	Yes
Hardware	hp	z2_small_form_factor_g8	-	No
Operating System	hp	z2_tower_g4_firmware	01.08.01	Yes
Hardware	hp	z2_tower_g4	-	No
Operating System	hp	z2_tower_g5_firmware	01.03.00_rev_a	Yes
Hardware	hp	z2_tower_g5	-	No
Operating System	hp	z2_tower_g8_firmware	01.03.00_rev_a	Yes
Hardware	hp	z2_tower_g8	-	No
Operating System	hp	z238_microtower_firmware	01.83	Yes
Hardware	hp	z238_microtower	-	No
Operating System	hp	z240_small_form_factor_firmware	01.83	Yes
Hardware	hp	z240_small_form_factor	-	No
Operating System	hp	z240_tower_firmware	01.83	Yes
Hardware	hp	z240_tower	-	No
Operating System	hp	z4_g4_firmware	02.75	Yes
Hardware	hp	z4_g4	-	No
Operating System	hp	z440_firmware	2.58	Yes
Hardware	hp	z440	-	No
Operating System	hp	z6_g4_firmware	02.75	Yes
Hardware	hp	z6_g4	-	No
Operating System	hp	z640_firmware	2.58	Yes
Hardware	hp	z640	-	No
Operating System	hp	z8_g4_firmware	02.75	Yes
Hardware	hp	z8_g4	-	No
Operating System	hp	z840_firmware	2.58	Yes
Hardware	hp	z840	-	No
Operating System	hp	zcentral_4r_firmware	01.18	Yes
Hardware	hp	zcentral_4r	-	No

References

https://support.hp.com/us-en/document/ish_5670997-5671021-16/hpsbhf03770 Vendor Advisory ([email protected])
https://support.hp.com/us-en/document/ish_5670997-5671021-16/hpsbhf03770 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)

How SecUtils Interprets This CVE

SecUtils normalizes and enriches National Vulnerability Database (NVD) records by standardizing vendor and product identifiers, aggregating vulnerability metadata from both NVD and MITRE sources, and providing structured context for security teams. For hp's affected products, we extract Common Platform Enumeration (CPE) data, Common Weakness Enumeration (CWE) classifications, CVSS severity metrics, and reference data to enable rapid vulnerability prioritization and asset correlation. This record contains no exploit code, proof-of-concept instructions, or attack methodologies—only defensive intelligence necessary for patch management, risk assessment, and security operations.