Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2018-7890OS Command Injection in Manageengine Applications Manager

CWE-78OS Command Injection4 documents4 sources
Severity
9.8CRITICALNVD
EPSS
86.3%
top 0.59%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Zohocorp Manageengine Applications Manager
Timeline
PublishedMar 8
Latest updateMay 13

Description

A remote code execution issue was discovered in Zoho ManageEngine Applications Manager before 13.6 (build 13640). The publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials by accessing a specified system. This endpoint calls several internal classes, and then executes a PowerShell script. If the specified system is OfficeSharePointServer, then the username and password parameters to this script are not validated, leading to Command Injection

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

🔴Vulnerability Details

2
GHSA
GHSA-f7pp-w97r-w97p: A remote code execution issue was discovered in Zoho ManageEngine Applications Manager before 132022-05-13
CVEList
CVE-2018-7890: A remote code execution issue was discovered in Zoho ManageEngine Applications Manager before 132018-03-08

💥Exploits & PoCs

1
Exploit-DB
ManageEngine Applications Manager 13.5 - Remote Code Execution (Metasploit)2018-03-12
CVE-2018-7890 — OS Command Injection | cvebase