cbcvebase.
CVE-2018-17283
published 2018-09-21

CVE-2018-17283: Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a…

PriorityP184high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
66.35%
99.2th percentile
Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged against Firewall Analyzer to add an admin user via /api/json/v2/admin/addUser or conduct a SQL Injection attack via the /api/json/device/setManaged name parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
zohocorpmanageengine_opmanager< 12.312.3

Detection & IOCsextracted from sources · hover to see the quote

url/oputilsServlet?action=getAPIKey
path/oputilsServlet
path/api/json/v2/admin/addUser
path/api/json/device/setManaged
commandname=KcP7OGhC';select%20pg_sleep(6);%20--
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Zoho ManageEngine OpManager setManaged SQL Injection (CVE-2018-17283)"; flow:established,to_server; http.uri; content:"/device/setManaged"; fast_pattern; http.request_body; content:"name|3d|"; pcre:"/^[^&]*?(?:[\x27\x22\x3b\x2d\x5c\x2a\x2f]|\x25(?:2[27aAdDfF]|3[bB]|5[cC]))/R"; reference:url,peemangit.tistory.com/243; reference:cve,2018-17283; classtype:web-application-attack; sid:2066287; rev:1; metadata:affected_product Zoho_ManageEngine, attack_target Server, tls_state TLSDecrypt, created_at 2025_12_11, cve CVE_2018_17283, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_12_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Unauthenticated GET to /oputilsServlet?action=getAPIKey is the first stage of the exploit chain; the response body contains an API key matching regex API_KEY=([0-9a-z]+) which is then reused in subsequent attack requests.
  • Second-stage POST to /api/json/device/setManaged with the extracted apiKey and a time-based SQL injection payload in the 'name' body parameter; a response duration ≥6 seconds with HTTP 200 and JSON body containing 'result' confirms exploitation.
  • The Nuclei template uses a time-based blind SQLi payload targeting PostgreSQL (pg_sleep); detection should alert on pg_sleep or equivalent sleep calls in POST bodies to /device/setManaged.
  • Shodan/FOFA exposure query for identifying internet-facing OpManager instances: http.title:"OpManager" / title="OpManager".
  • The Snort/ET rule triggers on HTTP requests to URIs containing /device/setManaged where the POST body 'name=' parameter value begins with SQL-special characters (single/double quote, semicolon, dash, backslash, asterisk, slash) or their URL-encoded equivalents.
  • ·The exploit is a two-step chain: step 1 retrieves an API key unauthenticated; step 2 uses that key to perform SQL injection. Detection must correlate both requests — blocking only the second step may miss the key-harvesting phase.
  • ·The ET Snort rule (sid:2066287) requires TLS decryption (tls_state TLSDecrypt / deployment SSLDecrypt) to inspect encrypted traffic; without SSL inspection the rule will not fire on HTTPS-protected OpManager instances.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.