cbcvebase.
CVE-2020-28653
published 2021-02-03

CVE-2020-28653: Zoho ManageEngine OpManager Stable build before 125203 (and Released build before 125233) allows Remote Code Execution via the Smart Update Manager (SUM)…

PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
78.70%
99.5th percentile
Zoho ManageEngine OpManager Stable build before 125203 (and Released build before 125233) allows Remote Code Execution via the Smart Update Manager (SUM) servlet.

Affected

2 ranges
VendorProductVersion rangeFixed in
zohocorpmanageengine_opmanager< 12.512.5
zohocorpmanageengine_opmanager

Detection & IOCsextracted from sources · hover to see the quote

url/servlets/com.adventnet.tools.sum.transport.SUMCommunicationServlet
url/servlets/com.adventnet.tools.sum.transport.SUMHandShakeServlet
bytes
rO0ABXcEAAAD6g==
bytes
AAABX6ztAAVzcgARamF2YS51dGlsLkhhc2hNYXAFB9rBwxZg0QMAAkYACmxvYWRGYWN0b3JJAAl0aHJlc2hvbGR4cD9AAAAAAAAMdwgAAAAQAAAAAXNyAAxqYXZhLm5ldC5VUkyWJTc2GvzkcgMAB0kACGhhc2hDb2RlSQAEcG9ydEwACWF1dGhvcml0eXQAEkxqYXZhL2xhbmcvU3RyaW5nO0wABGZpbGVxAH4AA0wABGhvc3RxAH4AA0wACHByb3RvY29scQB+AANMAANyZWZxAH4AA3hw//////////90ADJhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYXQAAHEAfgAFdAAEaHR0cHB4dAA5aHR0cDovL2FhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFheA==
  • Detect exploitation attempts by monitoring HTTP POST requests to the SUMCommunicationServlet and SUMHandShakeServlet endpoints; Java deserialization payloads begin with the magic bytes 'rO0A' (base64 of 0xACED0000) in the request body with Content-Type: application/octet-stream.
  • The handshake probe sends a specific 6-byte serialized payload (base64: rO0ABXcEAAAD6g==) to SUMHandShakeServlet; a 200 response indicates a vulnerable endpoint.
  • The exploit is unauthenticated; no session cookie or authentication header is required. Alert on unauthenticated POST requests with Content-Type: application/octet-stream to the SUM servlet paths.
  • Shodan/FOFA fingerprinting queries for exposed OpManager instances: search for HTTP title 'opmanager plus' or 'opmanager' to identify internet-facing targets.
  • Out-of-band DNS interaction (via interactsh/OAST) is used to confirm RCE; monitor for unexpected DNS lookups originating from OpManager server processes as a post-exploitation indicator.
  • ·The exploit also affects other Zoho products built on top of the OpManager application, not just OpManager itself; broaden detection scope accordingly.
  • ·Automatic CVE-based target selection in the Metasploit module only works for newer targets where the build number is present in the logon page; older builds may not be auto-detected.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.