CVE-2018-7890
published 2018-03-08CVE-2018-7890: A remote code execution issue was discovered in Zoho ManageEngine Applications Manager before 13.6 (build 13640). The publicly accessible testCredential.do…
PriorityP184critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
79.16%
99.6th percentile
A remote code execution issue was discovered in Zoho ManageEngine Applications Manager before 13.6 (build 13640). The publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials by accessing a specified system. This endpoint calls several internal classes, and then executes a PowerShell script. If the specified system is OfficeSharePointServer, then the username and password parameters to this script are not validated, leading to Command Injection.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | manageengine_applications_manager | < 13.6 | 13.6 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated POST requests to the /testCredential.do endpoint with the parameter 'type=OfficeSharePointServer', which is the specific trigger condition for the command injection vulnerability. ↗
- →Alert on POST requests to /testCredential.do containing 'UserName' parameter values with shell subshell syntax (e.g., '$(' characters), indicating active command injection exploitation attempts. ↗
- →Monitor for PowerShell processes spawned as children of the ManageEngine Applications Manager process (e.g., java.exe or wrapper.exe), which would indicate successful exploitation of the command injection. ↗
- →The check method fingerprints a vulnerable instance by looking for the string 'Kindly check the credentials and try again' in the HTTP response body to /testCredential.do; presence of this string confirms exploitability. ↗
- ·The exploit targets ManageEngine Applications Manager versions before 13.6 (build 13640). Versions at or above build 13640 are patched and not vulnerable. ↗
- ·Exploitation requires no authentication — the vulnerable /testCredential.do endpoint is publicly accessible without credentials, meaning perimeter controls alone are insufficient if the service is internet-exposed. ↗
- ·The Metasploit module sets WfsDelay to 10 seconds, indicating the payload execution may be delayed; detection rules based on immediate response timing may miss the exploitation. ↗
- ·The module author notes that using a real IP (127.0.0.1) for HostName is intentional to avoid triggering SIEMs or DLP systems on outbound connections; defenders should not rely solely on outbound connection monitoring for detection. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
ManageEngine Applications Manager 13.5 - Remote Code Execution (Metasploit)
exploitdb·2018-03-12
CVE-2018-7890 ManageEngine Applications Manager 13.5 - Remote Code Execution (Metasploit)
ManageEngine Applications Manager 13.5 - Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule "ManageEngine Applications Manager Remote Code Execution",
'Description' => %q{
This module exploits command injection vulnerability in the ManageEngine Application Manager product.
An unauthenticated user can execute a operating system command under the context of privileged user.
Publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials
by accessing given system. This endpoint calls a several internal classes and then executes powershell script
without validating user supplied parameter when the gi
Metasploit
ManageEngine Applications Manager Remote Code Execution
metasploit
ManageEngine Applications Manager Remote Code Execution
ManageEngine Applications Manager Remote Code Execution
This module exploits command injection vulnerability in the ManageEngine Application Manager product. An unauthenticated user can execute a operating system command under the context of privileged user. Publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials by accessing given system. This endpoint calls a several internal classes and then executes powershell script without validating user supplied parameter when the given system is OfficeSharePointServer.
No writeups or analysis indexed.
http://www.securityfocus.com/bid/103358https://github.com/rapid7/metasploit-framework/pull/9684https://pentest.blog/advisory-manageengine-applications-manager-remote-code-execution-sqli-and/https://pitstop.manageengine.com/portal/community/topic/security-vulnerability-issues-fixed-upgrade-to-the-latest-version-of-applications-managerhttps://www.exploit-db.com/exploits/44274/https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2018-7890.htmlhttp://www.securityfocus.com/bid/103358https://github.com/rapid7/metasploit-framework/pull/9684https://pentest.blog/advisory-manageengine-applications-manager-remote-code-execution-sqli-and/https://pitstop.manageengine.com/portal/community/topic/security-vulnerability-issues-fixed-upgrade-to-the-latest-version-of-applications-managerhttps://www.exploit-db.com/exploits/44274/https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2018-7890.html
2018-03-08
Published