cbcvebase.
CVE-2015-7765
published 2015-10-09

CVE-2015-7765: ZOHO ManageEngine OpManager 11.5 build 11600 and earlier uses a hardcoded password of "plugin" for the IntegrationUser account, which allows remote…

PriorityP274critical9CVSS 2.0
AVNACLAuSCCICAC
EXPLOIT
EPSS
67.28%
99.2th percentile
ZOHO ManageEngine OpManager 11.5 build 11600 and earlier uses a hardcoded password of "plugin" for the IntegrationUser account, which allows remote authenticated users to obtain administrator access by leveraging knowledge of this password.

Affected

1 ranges
VendorProductVersion rangeFixed in
zohocorpmanageengine_opmanager

Detection & IOCsextracted from sources · hover to see the quote

otherIntegrationUser:plugin
url/jsp/Login.do
url/api/json/admin/SubmitQuery
url/LoginPage.do
path..//..//tomcat//webapps//<app_base>.war
commandSELECT lo_create(-1)
commandINSERT/**/INTO pg_largeobject (loid,pageno,data) VALUES(..., DECODE(..., 'base64'))
commandSELECT lo_unlink(-1)
  • Detect POST login attempts using the hardcoded hidden account 'IntegrationUser' with password 'plugin' to /jsp/Login.do with authType=localUserLogin
  • Alert on HTTP POST requests to /api/json/admin/SubmitQuery containing SQL keywords INSERT, lo_create, lo_export, or lo_unlink, especially with comment-based keyword bypass (INSERT/**/INTO)
  • Monitor for WAR file creation under the Tomcat webapps directory (tomcat/webapps/*.war) originating from the OpManager PostgreSQL process, indicating lo_export-based payload drop
  • Detect the API key extraction pattern in HTTP responses: window.OPM.apiKey = "[a-z0-9]+" — successful login by IntegrationUser will return this key, which is then used for subsequent SQL abuse
  • Flag HTTP GET requests to /LoginPage.do followed immediately by a POST to /jsp/Login.do with domainName=NULL and authType=localUserLogin from the same source IP as a potential exploitation attempt
  • ·The hardcoded 'IntegrationUser' account cannot be reset or removed through the OpManager user interface, meaning patching or upgrading is the only remediation; detection must account for this account being permanently present in affected builds.
  • ·The exploit has been confirmed working on OpManager v11.0 and v11.4–v11.6 for Windows; detections should be scoped to these versions but the hardcoded credential may exist in earlier builds as well (NVD states build 11600 and earlier).
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.