CVE-2019-12133 — Uncontrolled Search Path Element in Manageengine Analytics Plus

CWE-427 — Uncontrolled Search Path Element CWE-732 — Incorrect Permission Assignment3 documents3 sources

Severity

7.8HIGHNVD

EPSS

0.0%

top 95.26%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zohocorp Manageengine Analytics Plus Zohocorp Manageengine Desktop Central Zohocorp Manageengine Eventlog Analyzer +14 more

Timeline

PublishedJun 18

Latest updateMay 24

Description

Multiple Zoho ManageEngine products suffer from local privilege escalation due to improper permissions for the %SYSTEMDRIVE%\ManageEngine directory and its sub-folders. Moreover, the services associated with said products try to execute binaries such as sc.exe from the current directory upon system start. This will effectively allow non-privileged users to escalate privileges to NT AUTHORITY\SYSTEM. This affects Desktop Central 10.0.380, EventLog Analyzer 12.0.2, ServiceDesk Plus 10.0.0, Support…

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages17 packages

▶NVDzohocorp/manageengine_patch_manager_plus9.0.0

▶NVDzohocorp/manageengine_mobile_device_manager_plus9.0.0

▶NVDzohocorp/manageengine_o365_manager_plus4.0

▶NVDzohocorp/manageengine_vulnerability_manager_plus9.0.0

▶NVDzohocorp/manageengine_key_manager_plus5.6

🔴Vulnerability Details

GHSA

GHSA-69r6-frgh-wc7c: Multiple Zoho ManageEngine products suffer from local privilege escalation due to improper permissions for the %SYSTEMDRIVE%\ManageEngine directory an↗2022-05-24

▶

CVEList

CVE-2019-12133: Multiple Zoho ManageEngine products suffer from local privilege escalation due to improper permissions for the %SYSTEMDRIVE%\ManageEngine directory an↗2019-06-18

▶