CVE-2019-15106
published 2019-08-16CVE-2019-15106: An issue was discovered in Zoho ManageEngine OpManager in builds before 14310. One can bypass the user password requirement and execute commands on the server…
PriorityP179critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
25.48%
97.7th percentile
An issue was discovered in Zoho ManageEngine OpManager in builds before 14310. One can bypass the user password requirement and execute commands on the server. The "username+'@opm' string is used for the password. For example, if the username is admin, the password is admin@opm.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | manageengine_opmanager | <= 12.4.034 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Authentication bypass uses a predictable password pattern: append '@opm' to the username (e.g., admin:admin@opm). Detect POST requests to /j_security_check where the j_password field ends with '@opm'. ↗
- →Malicious payload file (random 9-12 char alpha name with .bat/.sh/.pl/.py/.rb extension) is uploaded via multipart POST to /Upload.do. Monitor for unexpected script file uploads to this endpoint. ↗
- →The exploit checks for the JavaScript string 'j_password.value=username' in the response body of /applications.do to confirm vulnerability. This string in the page source indicates an unpatched build. ↗
- →POST to /adminAction.do with method=createExecProgAction registers the uploaded malicious script as an executable program action. Monitor for this parameter combination in POST bodies. ↗
- ·The default exploit target is Windows (DefaultTarget => 0) on port 8060 with no SSL. Adjust detection scope for Linux targets and non-default port configurations. ↗
- ·Vulnerability affects OpManager builds before 14310 (v12.4.034 and prior). Builds at or above 14310 are not affected by this authentication bypass. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://pentest.com.tr/exploits/DEFCON-ManageEngine-OpManager-v12-4-Unauthenticated-Remote-Command-Execution.htmlhttps://www.exploit-db.com/exploits/47229https://www.manageengine.com/network-monitoring/security-updates/cve-2019-15106.htmlhttps://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2019-15106.htmlhttp://pentest.com.tr/exploits/DEFCON-ManageEngine-OpManager-v12-4-Unauthenticated-Remote-Command-Execution.htmlhttps://www.exploit-db.com/exploits/47229https://www.manageengine.com/network-monitoring/security-updates/cve-2019-15106.htmlhttps://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2019-15106.html
2019-08-16
Published