cbcvebase.
CVE-2015-2560
published 2017-08-02

CVE-2015-2560: Manage Engine Desktop Central 9 before build 90135 allows remote attackers to change passwords of users with the Administrator role via an addOrModifyUser…

PriorityP263critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
15.61%
96.4th percentile
Manage Engine Desktop Central 9 before build 90135 allows remote attackers to change passwords of users with the Administrator role via an addOrModifyUser operation to servlets/DCOperationsServlet.

Affected

1 ranges
VendorProductVersion rangeFixed in
zohocorpmanageengine_desktop_central

Detection & IOCsextracted from sources · hover to see the quote

url/DCOperationsServlet
commandoperation=addOrModifyUser
commandroleId=DCAdmin
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ManageEngine Desktop Central Unauthorized Administrative Password Reset (CVE-2015-2560)"; flow:established,to_server; http.uri; content:"/DCOperationsServlet"; content:"operation=addOrModifyUser"; content:"roleId=DCAdmin"; fast_pattern; reference:cve,2015-2560; classtype:attempted-admin; sid:2063356; rev:1; metadata:affected_product Zoho_ManageEngine, attack_target Server, created_at 2025_07_08, cve CVE_2015_2560, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_07_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit targets HTTP POST/GET to the servlet path /DCOperationsServlet with parameters operation=addOrModifyUser and roleId=DCAdmin — monitor inbound HTTP traffic to ManageEngine Desktop Central servers for this URI and parameter combination.
  • The Snort/Suricata rule (SID 2063356) uses fast_pattern on 'roleId=DCAdmin' — prioritize this string as the highest-signal detection anchor in HTTP URI inspection.
  • Traffic direction is inbound to server (to_server, established flow) — deploy detection at the perimeter and internally on segments hosting ManageEngine Desktop Central.
  • MITRE mapping is TA0001 Initial Access / T1190 Exploit Public-Facing Application — correlate alerts with subsequent privilege escalation or lateral movement activity.
  • ·Vulnerability only affects ManageEngine Desktop Central 9 builds prior to 90135 — verify the installed build number before treating alerts as confirmed exploitation attempts.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.