| Vulnerability Details | |
|---|---|
| Impact | CVSS V3 rating: 9.8 CRITICAL |
| Fixed | 20 August 2019 |
| Affected Builds | Till Build 14300 |
| Fixed in | Build 14310 |
| Overview | Unauthenticated Remote Command Execution in Applications Manager Plugin. |
| Recommended Fix | Upgrade to Applications Manager Plugin to version 14310 or above. |
An issue was discovered in Zoho ManageEngine OpManager with Applications Manager Plugin through 12.4x. One can bypass the user password requirement and execute commands on the server. The "username+'@opm' string is used for the password. For example, if the username is admin, the password is admin@opm.
We recommend you to upgrade Applications Manager Plugin to version 14310 or above and OPM to the latest version to fix this issue.
Source and Acknowledgements
Find out more about CVE-2019-15106 from CVE Directory and NIST NVD.
Other Resources: https://www.pentest.com.tr/exploits/DEFCON-ManageEngine-OpManager-v12-4-Unauthenticated-Remote-Command-Execution.html
For clarification or corrections please contact our support team or email us at appmanager-support@manageengine.com
It allows us to track crucial metrics such as response times, resource utilization, error rates, and transaction performance. The real-time monitoring alerts promptly notify us of any issues or anomalies, enabling us to take immediate action.
Reviewer Role: Research and Development
Tech Support Manager, Lexmark