cbcvebase.
CVE-2018-7890
published 2018-03-08

CVE-2018-7890: A remote code execution issue was discovered in Zoho ManageEngine Applications Manager before 13.6 (build 13640). The publicly accessible testCredential.do…

PriorityP184critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
79.16%
99.6th percentile
A remote code execution issue was discovered in Zoho ManageEngine Applications Manager before 13.6 (build 13640). The publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials by accessing a specified system. This endpoint calls several internal classes, and then executes a PowerShell script. If the specified system is OfficeSharePointServer, then the username and password parameters to this script are not validated, leading to Command Injection.

Affected

1 ranges
VendorProductVersion rangeFixed in
zohocorpmanageengine_applications_manager< 13.613.6

Detection & IOCsextracted from sources · hover to see the quote

url/testCredential.do
port9090
  • Detect unauthenticated POST requests to the /testCredential.do endpoint with the parameter 'type=OfficeSharePointServer', which is the specific trigger condition for the command injection vulnerability.
  • Alert on POST requests to /testCredential.do containing 'UserName' parameter values with shell subshell syntax (e.g., '$(' characters), indicating active command injection exploitation attempts.
  • Monitor for PowerShell processes spawned as children of the ManageEngine Applications Manager process (e.g., java.exe or wrapper.exe), which would indicate successful exploitation of the command injection.
  • The check method fingerprints a vulnerable instance by looking for the string 'Kindly check the credentials and try again' in the HTTP response body to /testCredential.do; presence of this string confirms exploitability.
  • ·The exploit targets ManageEngine Applications Manager versions before 13.6 (build 13640). Versions at or above build 13640 are patched and not vulnerable.
  • ·Exploitation requires no authentication — the vulnerable /testCredential.do endpoint is publicly accessible without credentials, meaning perimeter controls alone are insufficient if the service is internet-exposed.
  • ·The Metasploit module sets WfsDelay to 10 seconds, indicating the payload execution may be delayed; detection rules based on immediate response timing may miss the exploitation.
  • ·The module author notes that using a real IP (127.0.0.1) for HostName is intentional to avoid triggering SIEMs or DLP systems on outbound connections; defenders should not rely solely on outbound connection monitoring for detection.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.