cbcvebase.
CVE-2019-15106
published 2019-08-16

CVE-2019-15106: An issue was discovered in Zoho ManageEngine OpManager in builds before 14310. One can bypass the user password requirement and execute commands on the server…

PriorityP179critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
25.48%
97.7th percentile
An issue was discovered in Zoho ManageEngine OpManager in builds before 14310. One can bypass the user password requirement and execute commands on the server. The "username+'@opm' string is used for the password. For example, if the username is admin, the password is admin@opm.

Affected

1 ranges
VendorProductVersion rangeFixed in
zohocorpmanageengine_opmanager<= 12.4.034

Detection & IOCsextracted from sources · hover to see the quote

port8060
url/apiclient/ember/Login.jsp
url/j_security_check
url/Upload.do
url/adminAction.do
url/common/executeScript.do
url/applications.do
commandj_password = username + "@opm"
  • Authentication bypass uses a predictable password pattern: append '@opm' to the username (e.g., admin:admin@opm). Detect POST requests to /j_security_check where the j_password field ends with '@opm'.
  • Malicious payload file (random 9-12 char alpha name with .bat/.sh/.pl/.py/.rb extension) is uploaded via multipart POST to /Upload.do. Monitor for unexpected script file uploads to this endpoint.
  • The exploit checks for the JavaScript string 'j_password.value=username' in the response body of /applications.do to confirm vulnerability. This string in the page source indicates an unpatched build.
  • POST to /adminAction.do with method=createExecProgAction registers the uploaded malicious script as an executable program action. Monitor for this parameter combination in POST bodies.
  • ·The default exploit target is Windows (DefaultTarget => 0) on port 8060 with no SSL. Adjust detection scope for Linux targets and non-default port configurations.
  • ·Vulnerability affects OpManager builds before 14310 (v12.4.034 and prior). Builds at or above 14310 are not affected by this authentication bypass.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.