cbcvebase.
CVE-2019-19774
published 2019-12-13

CVE-2019-19774: An issue was discovered in Zoho ManageEngine EventLog Analyzer 10.0 SP1 before Build 12110. By running "select hostdetails from hostdetails" at the…

PriorityP268high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
12.52%
95.7th percentile
An issue was discovered in Zoho ManageEngine EventLog Analyzer 10.0 SP1 before Build 12110. By running "select hostdetails from hostdetails" at the /event/runquery.do endpoint, it is possible to bypass the security restrictions that prevent even administrative users from viewing credential data stored in the database, and recover the MD5 hashes of the accounts used to authenticate the ManageEngine platform to the managed machines on the network (most often administrative accounts). Specifically, this bypasses these restrictions: a query cannot mention password, and a query result cannot have a password column.

Affected

1 ranges
VendorProductVersion rangeFixed in
zohocorpmanageengine_eventlog_analyzer>= 10.0 < 12.1.112.1.1

Detection & IOCsextracted from sources · hover to see the quote

url/event/runquery.do
port8400
commandselect hostdetails from hostdetails
  • Monitor HTTP requests to the /event/runquery.do endpoint for the payload 'select hostdetails from hostdetails', which is the specific query used to bypass credential-masking controls and extract MD5 password hashes.
  • Alert on any authenticated POST/GET to /event/runquery.do containing the string 'hostdetails' — this is the table name used to exfiltrate MD5 credential hashes while evading the built-in 'password' keyword filter.
  • The exploit requires authentication; correlate suspicious /event/runquery.do access with low-privilege or recently created accounts to identify credential abuse.
  • ·The vulnerability affects EventLog Analyzer 10.0 SP1 builds prior to Build 12110 only; patched instances running Build 12110 or later are not vulnerable.
  • ·Extracted credentials are MD5 hashes of accounts used to authenticate ManageEngine to managed machines — most often domain/local administrative accounts — meaning successful exploitation yields crackable privileged credentials.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.