24x7x365 e360 Client Technical Support: Call (877) 368-4797 opt 9, or


On Tuesday March 5th you may have received the email above from NetApp about a Security Vulnerability in the Service Processor (SP). Since we have had several customers ask about this, we wanted to post a response to help you address this email.

The vulnerability is:


“Certain versions of the NetApp Service Processor firmware were shipped with a default account enabled that could allow unauthorized arbitrary command execution.”

What this means is IF an attacker was able to reach the IP of your SP and knew the default account credentials they could execute commands. However, because the SP does not support multi-factor authentication (MFA), I have not yet met a NetApp user that exposes their SP to the internet. So this vulnerability is only a liability if the SP is exposed to the internet or an attacker has already breached your network.

The good news is, there is a very easy non-disruptive patch for this issue. So you could apply it easily to make sure it is never an issue for your organization.

In addition if you have the following controllers you do not need to apply a patch as these are the unaffected platforms/firmware versions:

The FAS/AFF Baseboard Management Controller (BMC), Service Processor 1.x firmware versions, ONTAP Select and Cloud Volumes ONTAP are not affected by this vulnerability – this includes the following platforms: AFF A220, FAS2720, FAS2750, AFF A800, AFF A700s, FAS6290, FAS6280, FAS6250, FAS6240, FAS6220, FAS6210, FAS3270, FAS3250, FAS3240, FAS3220, FAS3210 and V-Series variants

To fix this issue you will need to update your SP to a version that addresses this issue, if you do not have one of the above controllers:



If you have an affected controller updating it could be fairly simple.

First login to the netapp support site and sign-in at:



Next, navigate to the download drop down and click ‘System firmware & Diagnostics’:



Then choose your controller:



Next, choose ‘Service Processor for installation from the Data ONTAP prompt’ (this was easiest for me):



Now finally click on the file to download it:



To use this file to update your SP you will need an HTTP server with wide open permissions. For most customers this can be a really painful process to get through change management and security. Fortunately, I have found an excellent solution. I use Mongoose Pro (there is a free version, but if you like this, please do the right thing and pay for this developers hard work):



Mongoose is my temporary web server of choice, it requires no install, it runs in your taskbar, when you are done, right click on the icon on your taskbar and choose ‘exit’ and it closes.

Create a folder on the root of your C: drive called ‘http’ place the SP update file you downloaded in this folder along with Mongoose:



Next, double click Mongoose, right click on the patch filename and choose ‘copy link address’:


Then, open a notepad file and paste that link into the file, paste in front of that URL  system node image get -package, and after the URL paste -replace-package true. You should see something like my command:

system node image get -package -replace-package true

Next, open an SSH session (putty) to your cluster management IP of your NetApp, and elevate your privileges to advanced:

set -priv adv 

Then, confirm with a ‘y’.

Finally, download the SP firmware on the storage controller using the command you have in your notepad file by pasting it into your SSH session (change NODENAME):

system node image get -package -replace-package true

You should see a response like:


Once the file is uploaded your NetApp should automatically update your SP. After an hour reopen your SSH session and run:

system service-processor show -node node1

This will confirm that your SP has been updated.

As you can see this can be done relatively easily, however Entisys360 would be happy to schedule a Webex session with you to assist with this and perform a health check of your NetApp if you prefer, reach out to your Entisys360 representative to schedule assistance.





Creating a strategy for managing risk and compliance while helping to filter the myriad of cybersecurity technologies

Modern Infrastructure

Empowering your enterprise to its greatest potential through an efficient and secure IT infrastructure

Digital Workplace

Helping businesses keep infrastructure up-to-date, minimizing security risks, and maintaining compliance

Cloud Enablement

Accelerating IT service delivery through the adoption of agile methodologies using systems-oriented approach

Microsoft Expertise

Helping set goals and establishing benchmarks with the successful deployment of Microsoft solutions

Enterprise Managed Services

Best IT practices with design, configuration, implementation, licensing and environmental services

Markets and Market Support Vehicles


Professional services and renowned expertise aligned with the trends and challenges facing a variety of industries


Addressing IT challenges faced by healthcare organizations through trusted services, solutions and relationships

Public Sector

Helping organizations manage costs and high availability while increasing security, compliance and efficiency

Group Purchasing

Industry-leading IT consulting services and technology solutions through a streamlined contracting process

Resource Library


e360 in-person and online events

Solutions Literature

Access content on e360 services


Read about trending technology

Press Releases

Get official updates about e360

News Stories

Read about industry and e360 news


e360 webinar and podcast content

About e360

Who We Are

Our mission, vision, leadership and team


e360 awards and recognition


e360's commitment to privacy


e360's commitment to privacy


e360 career opportunities

Connect With e360

e360 locations and contact resources