Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2019-15106Missing Authentication for Critical Function in Manageengine Opmanager

CWE-306Missing Authentication for Critical Function4 documents4 sources
Severity
9.8CRITICALNVD
EPSS
37.2%
top 2.82%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Zohocorp Manageengine Opmanager
Timeline
PublishedAug 16
Latest updateMay 24

Description

An issue was discovered in Zoho ManageEngine OpManager in builds before 14310. One can bypass the user password requirement and execute commands on the server. The "username+'@opm' string is used for the password. For example, if the username is admin, the password is admin@opm.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

🔴Vulnerability Details

2
GHSA
GHSA-783q-f465-8jv7: An issue was discovered in Zoho ManageEngine OpManager through 122022-05-24
CVEList
CVE-2019-15106: An issue was discovered in Zoho ManageEngine OpManager in builds before 143102019-08-16

💥Exploits & PoCs

1
Exploit-DB
ManageEngine OpManager 12.4x - Unauthenticated Remote Command Execution (Metasploit)2019-08-12
CVE-2019-15106 — Manageengine Opmanager vulnerability | cvebase