CVE-2018-17283
published 2018-09-21CVE-2018-17283: Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a…
PriorityP184high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
66.35%
99.2th percentile
Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged against Firewall Analyzer to add an admin user via /api/json/v2/admin/addUser or conduct a SQL Injection attack via the /api/json/device/setManaged name parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | manageengine_opmanager | < 12.3 | 12.3 |
Detection & IOCsextracted from sources · hover to see the quote
commandname=KcP7OGhC';select%20pg_sleep(6);%20--
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Zoho ManageEngine OpManager setManaged SQL Injection (CVE-2018-17283)"; flow:established,to_server; http.uri; content:"/device/setManaged"; fast_pattern; http.request_body; content:"name|3d|"; pcre:"/^[^&]*?(?:[\x27\x22\x3b\x2d\x5c\x2a\x2f]|\x25(?:2[27aAdDfF]|3[bB]|5[cC]))/R"; reference:url,peemangit.tistory.com/243; reference:cve,2018-17283; classtype:web-application-attack; sid:2066287; rev:1; metadata:affected_product Zoho_ManageEngine, attack_target Server, tls_state TLSDecrypt, created_at 2025_12_11, cve CVE_2018_17283, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_12_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Unauthenticated GET to /oputilsServlet?action=getAPIKey is the first stage of the exploit chain; the response body contains an API key matching regex API_KEY=([0-9a-z]+) which is then reused in subsequent attack requests.
- →Second-stage POST to /api/json/device/setManaged with the extracted apiKey and a time-based SQL injection payload in the 'name' body parameter; a response duration ≥6 seconds with HTTP 200 and JSON body containing 'result' confirms exploitation.
- →The Nuclei template uses a time-based blind SQLi payload targeting PostgreSQL (pg_sleep); detection should alert on pg_sleep or equivalent sleep calls in POST bodies to /device/setManaged.
- →Shodan/FOFA exposure query for identifying internet-facing OpManager instances: http.title:"OpManager" / title="OpManager".
- →The Snort/ET rule triggers on HTTP requests to URIs containing /device/setManaged where the POST body 'name=' parameter value begins with SQL-special characters (single/double quote, semicolon, dash, backslash, asterisk, slash) or their URL-encoded equivalents.
- ·The exploit is a two-step chain: step 1 retrieves an API key unauthenticated; step 2 uses that key to perform SQL injection. Detection must correlate both requests — blocking only the second step may miss the key-harvesting phase.
- ·The ET Snort rule (sid:2066287) requires TLS decryption (tls_state TLSDecrypt / deployment SSLDecrypt) to inspect encrypted traffic; without SSL inspection the rule will not fire on HTTPS-protected OpManager instances.
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-44v2-pxvh-gf8w: Zoho ManageEngine OpManager before 12
ghsa_unreviewed·2022-05-14
CVE-2018-17283 [HIGH] CWE-89 GHSA-44v2-pxvh-gf8w: Zoho ManageEngine OpManager before 12
Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged against Firewall Analyzer to add an admin user via /api/json/v2/admin/addUser or conduct a SQL Injection attack via the /api/json/device/setManaged name parameter.
VulnCheck
Zoho manageengine_opmanager Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2018·CVSS 7.5
CVE-2018-17283 [HIGH] Zoho manageengine_opmanager Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Zoho manageengine_opmanager Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged against Firewall Analyzer to add an admin user via /api/json/v2/admin/addUser or conduct a SQL Injection attack via the /api/json/device/setManaged name parameter.
Affected: Zoho manageengine_opmanager
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-06&host_type=sr
Suricata
ET WEB_SPECIFIC_APPS Zoho ManageEngine OpManager setManaged SQL Injection (CVE-2018-17283)
suricata·2025-12-11·CVSS 7.5
CVE-2018-17283 [HIGH] ET WEB_SPECIFIC_APPS Zoho ManageEngine OpManager setManaged SQL Injection (CVE-2018-17283)
ET WEB_SPECIFIC_APPS Zoho ManageEngine OpManager setManaged SQL Injection (CVE-2018-17283)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Zoho ManageEngine OpManager setManaged SQL Injection (CVE-2018-17283)"; flow:established,to_server; http.uri; content:"/device/setManaged"; fast_pattern; http.request_body; content:"name|3d|"; pcre:"/^[^&]*?(?:[\x27\x22\x3b\x2d\x5c\x2a\x2f]|\x25(?:2[27aAdDfF]|3[bB]|5[cC]))/R"; reference:url,peemangit.tistory.com/243; reference:cve,2018-17283; classtype:web-application-attack; sid:2066287; rev:1; metadata:affected_product Zoho_ManageEngine, attack_target Server, tls_state TLSDecrypt, created_at 2025_12_11, cve CVE_2018_17283, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major,
Nuclei
Zoho ManageEngine OpManager - SQL Injection
nuclei·CVSS 7.5
CVE-2018-17283 [HIGH] Zoho ManageEngine OpManager - SQL Injection
Zoho ManageEngine OpManager - SQL Injection
Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged against Firewall Analyzer to add an admin user via /api/json/v2/admin/addUser or conduct a SQL Injection attack via the /api/json/device/setManaged name parameter.
Template:
id: CVE-2018-17283
info:
name: Zoho ManageEngine OpManager - SQL Injection
author: DhiyaneshDK
severity: high
description: |
Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged against Firewall Analyzer to add an admin user via /api
No writeups or analysis indexed.
2018-09-21
Published
Exploited in the wild