CVE-2015-2560
published 2017-08-02CVE-2015-2560: Manage Engine Desktop Central 9 before build 90135 allows remote attackers to change passwords of users with the Administrator role via an addOrModifyUser…
PriorityP263critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
15.61%
96.4th percentile
Manage Engine Desktop Central 9 before build 90135 allows remote attackers to change passwords of users with the Administrator role via an addOrModifyUser operation to servlets/DCOperationsServlet.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | manageengine_desktop_central | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/DCOperationsServlet
commandoperation=addOrModifyUser
commandroleId=DCAdmin
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ManageEngine Desktop Central Unauthorized Administrative Password Reset (CVE-2015-2560)"; flow:established,to_server; http.uri; content:"/DCOperationsServlet"; content:"operation=addOrModifyUser"; content:"roleId=DCAdmin"; fast_pattern; reference:cve,2015-2560; classtype:attempted-admin; sid:2063356; rev:1; metadata:affected_product Zoho_ManageEngine, attack_target Server, created_at 2025_07_08, cve CVE_2015_2560, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_07_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit targets HTTP POST/GET to the servlet path /DCOperationsServlet with parameters operation=addOrModifyUser and roleId=DCAdmin — monitor inbound HTTP traffic to ManageEngine Desktop Central servers for this URI and parameter combination. ↗
- →The Snort/Suricata rule (SID 2063356) uses fast_pattern on 'roleId=DCAdmin' — prioritize this string as the highest-signal detection anchor in HTTP URI inspection.
- →Traffic direction is inbound to server (to_server, established flow) — deploy detection at the perimeter and internally on segments hosting ManageEngine Desktop Central.
- →MITRE mapping is TA0001 Initial Access / T1190 Exploit Public-Facing Application — correlate alerts with subsequent privilege escalation or lateral movement activity.
- ·Vulnerability only affects ManageEngine Desktop Central 9 builds prior to 90135 — verify the installed build number before treating alerts as confirmed exploitation attempts. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET EXPLOIT ManageEngine Desktop Central Unauthorized Administrative Password Reset (CVE-2015-2560)
suricata·2025-07-08·CVSS 9.8
CVE-2015-2560 [CRITICAL] ET EXPLOIT ManageEngine Desktop Central Unauthorized Administrative Password Reset (CVE-2015-2560)
ET EXPLOIT ManageEngine Desktop Central Unauthorized Administrative Password Reset (CVE-2015-2560)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ManageEngine Desktop Central Unauthorized Administrative Password Reset (CVE-2015-2560)"; flow:established,to_server; http.uri; content:"/DCOperationsServlet"; content:"operation=addOrModifyUser"; content:"roleId=DCAdmin"; fast_pattern; reference:cve,2015-2560; classtype:attempted-admin; sid:2063356; rev:1; metadata:affected_product Zoho_ManageEngine, attack_target Server, created_at 2025_07_08, cve CVE_2015_2560, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_07_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mit
No public exploits indexed.
http://packetstormsecurity.com/files/131062/Manage-Engine-Desktop-Central-9-Unauthorized-Administrative-Password-Reset.htmlhttp://www.securityfocus.com/archive/1/535004/100/1400/threadedhttp://www.securityfocus.com/bid/73380https://www.manageengine.com/products/desktop-central/unauthorized-admin-credential-modification.htmlhttp://packetstormsecurity.com/files/131062/Manage-Engine-Desktop-Central-9-Unauthorized-Administrative-Password-Reset.htmlhttp://www.securityfocus.com/archive/1/535004/100/1400/threadedhttp://www.securityfocus.com/bid/73380https://www.manageengine.com/products/desktop-central/unauthorized-admin-credential-modification.html
2017-08-02
Published