CVE-2020-28653
published 2021-02-03CVE-2020-28653: Zoho ManageEngine OpManager Stable build before 125203 (and Released build before 125233) allows Remote Code Execution via the Smart Update Manager (SUM)…
PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
78.70%
99.5th percentile
Zoho ManageEngine OpManager Stable build before 125203 (and Released build before 125233) allows Remote Code Execution via the Smart Update Manager (SUM) servlet.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | manageengine_opmanager | < 12.5 | 12.5 |
| zohocorp | manageengine_opmanager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
rO0ABXcEAAAD6g==
bytes↗
AAABX6ztAAVzcgARamF2YS51dGlsLkhhc2hNYXAFB9rBwxZg0QMAAkYACmxvYWRGYWN0b3JJAAl0aHJlc2hvbGR4cD9AAAAAAAAMdwgAAAAQAAAAAXNyAAxqYXZhLm5ldC5VUkyWJTc2GvzkcgMAB0kACGhhc2hDb2RlSQAEcG9ydEwACWF1dGhvcml0eXQAEkxqYXZhL2xhbmcvU3RyaW5nO0wABGZpbGVxAH4AA0wABGhvc3RxAH4AA0wACHByb3RvY29scQB+AANMAANyZWZxAH4AA3hw//////////90ADJhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYXQAAHEAfgAFdAAEaHR0cHB4dAA5aHR0cDovL2FhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFheA==
- →Detect exploitation attempts by monitoring HTTP POST requests to the SUMCommunicationServlet and SUMHandShakeServlet endpoints; Java deserialization payloads begin with the magic bytes 'rO0A' (base64 of 0xACED0000) in the request body with Content-Type: application/octet-stream. ↗
- →The handshake probe sends a specific 6-byte serialized payload (base64: rO0ABXcEAAAD6g==) to SUMHandShakeServlet; a 200 response indicates a vulnerable endpoint. ↗
- →The exploit is unauthenticated; no session cookie or authentication header is required. Alert on unauthenticated POST requests with Content-Type: application/octet-stream to the SUM servlet paths. ↗
- →Shodan/FOFA fingerprinting queries for exposed OpManager instances: search for HTTP title 'opmanager plus' or 'opmanager' to identify internet-facing targets. ↗
- →Out-of-band DNS interaction (via interactsh/OAST) is used to confirm RCE; monitor for unexpected DNS lookups originating from OpManager server processes as a post-exploitation indicator. ↗
- ·The exploit also affects other Zoho products built on top of the OpManager application, not just OpManager itself; broaden detection scope accordingly. ↗
- ·Automatic CVE-based target selection in the Metasploit module only works for newer targets where the build number is present in the logon page; older builds may not be auto-detected. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hxf4-fh6h-hq94: Zoho ManageEngine OpManager Stable build before 125203 (and Released build before 125233) allows Remote Code Execution via the Smart Update Manager (S
ghsa_unreviewed·2022-05-24
CVE-2020-28653 [CRITICAL] GHSA-hxf4-fh6h-hq94: Zoho ManageEngine OpManager Stable build before 125203 (and Released build before 125233) allows Remote Code Execution via the Smart Update Manager (S
Zoho ManageEngine OpManager Stable build before 125203 (and Released build before 125233) allows Remote Code Execution via the Smart Update Manager (SUM) servlet.
VulnCheck
Zoho ManageEngine OpManager Smart Update Manager Servlet Remote Code Execution
vulncheck·2020·CVSS 9.8
CVE-2020-28653 [CRITICAL] Zoho ManageEngine OpManager Smart Update Manager Servlet Remote Code Execution
Zoho ManageEngine OpManager Smart Update Manager Servlet Remote Code Execution
Zoho ManageEngine OpManager Stable build before 125203 (and Released build before 125233) allows Remote Code Execution via the Smart Update Manager (SUM) servlet.
Affected: Zoho manageengine_opmanager
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2020-28653
Exploit PoC: https://vulncheck.com/xdb/e79a8bfc5161; https://vulncheck.com/xdb/d50b99aded83; https://vulncheck.com/xdb/c3df582625b8
No detection rules found.
Metasploit
ManageEngine OpManager SumPDU Java Deserialization
metasploit
ManageEngine OpManager SumPDU Java Deserialization
ManageEngine OpManager SumPDU Java Deserialization
An HTTP endpoint used by the Manage Engine OpManager Smart Update Manager component can be leveraged to deserialize an arbitrary Java object. This can be abused by an unauthenticated remote attacker to execute OS commands in the context of the OpManager application (NT AUTHORITY\SYSTEM on Windows or root on Linux). This vulnerability is also present in other products that are built on top of the OpManager application. This vulnerability affects OpManager versions 12.1 - 12.5.328. Automatic CVE selection only works for newer targets when the build number is present in the logon page. Due to issues with the serialized payload this module is incompatible with versions prior to 12.3.238 despite them technically being vulnerable.
Nuclei
ManageEngine OpManager SumPDU 12.1 - 12.5.232 - Java Deserialization
nuclei·CVSS 9.8
CVE-2020-28653 [CRITICAL] ManageEngine OpManager SumPDU 12.1 - 12.5.232 - Java Deserialization
ManageEngine OpManager SumPDU 12.1 - 12.5.232 - Java Deserialization
Zoho ManageEngine OpManager Stable build before 125203 (and Released build before 125233) allows Remote Code Execution via the Smart Update Manager (SUM) servlet.
Template:
id: CVE-2020-28653
info:
name: ManageEngine OpManager SumPDU 12.1 - 12.5.232 - Java Deserialization
author: iamnoooob,pdresearch
severity: critical
description: |
Zoho ManageEngine OpManager Stable build before 125203 (and Released build before 125233) allows Remote Code Execution via the Smart Update Manager (SUM) servlet.
impact: |
Remote attackers can execute arbitrary code on the server, potentially leading to full system compromise.
remediation: |
Update to build 125203 or later.
reference:
- http://packetstormsecurity.com/files/164231/ManageE
No writeups or analysis indexed.
http://packetstormsecurity.com/files/164231/ManageEngine-OpManager-SumPDU-Java-Deserialization.htmlhttps://www.manageengine.com/network-monitoring/help/read-me-complete.html#125203https://www.manageengine.com/network-monitoring/help/read-me-complete.html#125233http://packetstormsecurity.com/files/164231/ManageEngine-OpManager-SumPDU-Java-Deserialization.htmlhttps://www.manageengine.com/network-monitoring/help/read-me-complete.html#125203https://www.manageengine.com/network-monitoring/help/read-me-complete.html#125233
2021-02-03
Published
Exploited in the wild