cbcvebase.
CVE-2015-7766
published 2015-10-09

CVE-2015-7766: PGSQL:SubmitQuery.do in ZOHO ManageEngine OpManager 11.6, 11.5, and earlier allows remote administrators to bypass SQL query restrictions via a comment in the…

PriorityP270critical9CVSS 2.0
AVNACLAuSCCICAC
EXPLOIT
EPSS
80.64%
99.6th percentile
PGSQL:SubmitQuery.do in ZOHO ManageEngine OpManager 11.6, 11.5, and earlier allows remote administrators to bypass SQL query restrictions via a comment in the query to api/json/admin/SubmitQuery, as demonstrated by "INSERT/**/INTO."

Affected

2 ranges
VendorProductVersion rangeFixed in
zohocorpmanageengine_opmanager<= 11.5
zohocorpmanageengine_opmanager

Detection & IOCsextracted from sources · hover to see the quote

urlapi/json/admin/SubmitQuery
commandINSERT/**/INTO pg_largeobject (loid,pageno,data) VALUES(...)
commandSELECT lo_export(..., '..//..//tomcat//webapps//<app>.war')
path..//..//tomcat//webapps//
  • Detect login attempts using the hidden default account 'IntegrationUser' with password 'plugin' against the ManageEngine OpManager login endpoint.
  • Alert on POST requests to 'api/json/admin/SubmitQuery' containing SQL comment sequences (e.g., /**/) used to bypass keyword filtering, particularly patterns like INSERT/**/INTO or UPDATE/**/SET.
  • Monitor for SQL queries referencing 'pg_largeobject' table combined with lo_export calls writing .war files to the Tomcat webapps directory, indicating WAR-based RCE payload staging.
  • Detect lo_export SQL calls targeting paths containing 'tomcat/webapps' with a .war extension, which indicates exploitation of the SQL query endpoint to deploy a malicious WAR payload.
  • Monitor for unexpected new .war file creation and subsequent directory expansion under the Tomcat webapps folder on OpManager hosts, which may indicate automatic deployment of a malicious payload.
  • Flag HTTP responses from OpManager's post-login page containing the pattern 'window.OPM.apiKey = "[a-z0-9]+"', as this indicates successful authentication and API key harvesting by an attacker.
  • ·The hidden 'IntegrationUser' account with password 'plugin' cannot be reset through the OpManager user interface, making it a persistent attack vector on unpatched versions.
  • ·The exploit has been confirmed to work on OpManager v11.0 and v11.4–v11.6 for Windows; detection and patching efforts should prioritize these versions.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.