Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2018-19374 — Incorrect Permission Assignment in Manageengine Admanager Plus

CWE-732 — Incorrect Permission Assignment4 documents4 sources

Severity

7.0HIGHNVD

EPSS

0.1%

top 71.81%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Zohocorp Manageengine Admanager Plus

Timeline

PublishedApr 30

Latest updateMay 24

Description

Zoho ManageEngine ADManager Plus 6.6 Build 6657 allows local users to gain privileges (after a reboot) by placing a Trojan horse file into the permissive bin directory.

CVSS vector

CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.0 | Impact: 5.9

Affected Packages1 packages

▶NVDzohocorp/manageengine_admanager_plus6.6

🔴Vulnerability Details

GHSA

GHSA-vrvf-6v98-rp7r: Zoho ManageEngine ADManager Plus 6↗2022-05-24

▶

CVEList

CVE-2018-19374: Zoho ManageEngine ADManager Plus 6↗2019-04-30

▶

💥Exploits & PoCs

Exploit-DB

Zoho ManageEngine ADManager Plus 6.6 (Build < 6659) - Privilege Escalation↗2019-04-16

▶