CVE-2015-7765
published 2015-10-09CVE-2015-7765: ZOHO ManageEngine OpManager 11.5 build 11600 and earlier uses a hardcoded password of "plugin" for the IntegrationUser account, which allows remote…
PriorityP274critical9CVSS 2.0
AVNACLAuSCCICAC
EXPLOIT
EPSS
67.28%
99.2th percentile
ZOHO ManageEngine OpManager 11.5 build 11600 and earlier uses a hardcoded password of "plugin" for the IntegrationUser account, which allows remote authenticated users to obtain administrator access by leveraging knowledge of this password.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | manageengine_opmanager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST login attempts using the hardcoded hidden account 'IntegrationUser' with password 'plugin' to /jsp/Login.do with authType=localUserLogin ↗
- →Alert on HTTP POST requests to /api/json/admin/SubmitQuery containing SQL keywords INSERT, lo_create, lo_export, or lo_unlink, especially with comment-based keyword bypass (INSERT/**/INTO) ↗
- →Monitor for WAR file creation under the Tomcat webapps directory (tomcat/webapps/*.war) originating from the OpManager PostgreSQL process, indicating lo_export-based payload drop ↗
- →Detect the API key extraction pattern in HTTP responses: window.OPM.apiKey = "[a-z0-9]+" — successful login by IntegrationUser will return this key, which is then used for subsequent SQL abuse ↗
- →Flag HTTP GET requests to /LoginPage.do followed immediately by a POST to /jsp/Login.do with domainName=NULL and authType=localUserLogin from the same source IP as a potential exploitation attempt ↗
- ·The hardcoded 'IntegrationUser' account cannot be reset or removed through the OpManager user interface, meaning patching or upgrading is the only remediation; detection must account for this account being permanently present in affected builds. ↗
- ·The exploit has been confirmed working on OpManager v11.0 and v11.4–v11.6 for Windows; detections should be scoped to these versions but the hardcoded credential may exist in earlier builds as well (NVD states build 11600 and earlier). ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
ManageEngine OpManager - Remote Code Execution (Metasploit)
exploitdb·2015-09-17
CVE-2015-7766 ManageEngine OpManager - Remote Code Execution (Metasploit)
ManageEngine OpManager - Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'ManageEngine OpManager Remote Code Execution',
'Description' => %q{
This module exploits a default credential vulnerability in ManageEngine OpManager, where a
default hidden account "IntegrationUser" with administrator privileges exists. The account
has a default password of "plugin" which can not be reset through the user interface. By
log-in and abusing the default administrator's SQL query functionality, it's possible to
write a WAR payload to disk and trigger an automatic deployment of this payload. This
module has been tested successfully on OpMa
Metasploit
ManageEngine OpManager Remote Code Execution
metasploit
ManageEngine OpManager Remote Code Execution
ManageEngine OpManager Remote Code Execution
This module exploits a default credential vulnerability in ManageEngine OpManager, where a default hidden account "IntegrationUser" with administrator privileges exists. The account has a default password of "plugin" which cannot be reset through the user interface. By log-in and abusing the default administrator's SQL query functionality, it's possible to write a WAR payload to disk and trigger an automatic deployment of this payload. This module has been tested successfully on OpManager v11.0 and v11.4-v11.6 for Windows.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/133596/ManageEngine-OpManager-Remote-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2015/Sep/66http://www.rapid7.com/db/modules/exploit/windows/http/manage_engine_opmanager_rcehttps://support.zoho.com/portal/manageengine/helpcenter/articles/pgsql-submitquery-do-vulnerabilityhttps://www.exploit-db.com/exploits/38221/http://packetstormsecurity.com/files/133596/ManageEngine-OpManager-Remote-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2015/Sep/66http://www.rapid7.com/db/modules/exploit/windows/http/manage_engine_opmanager_rcehttps://support.zoho.com/portal/manageengine/helpcenter/articles/pgsql-submitquery-do-vulnerabilityhttps://www.exploit-db.com/exploits/38221/
2015-10-09
Published