CVE-2021-20078
published 2021-04-01CVE-2021-20078: Manage Engine OpManager builds below 125346 are vulnerable to a remote denial of service vulnerability due to a path traversal issue in spark gateway…
PriorityP264critical9.1CVSS 3.1
AVNACLPRNUINSUCNIHAH
EPSS
60.37%
99.0th percentile
Manage Engine OpManager builds below 125346 are vulnerable to a remote denial of service vulnerability due to a path traversal issue in spark gateway component. This allows a remote attacker to remotely delete any directory or directories on the OS.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | manageengine_opmanager | < 12.5 | 12.5 |
| zohocorp | manageengine_opmanager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated WebSocket upgrade requests to port 7275 on the path /RDP containing path traversal sequences (e.g., '../') in the 'server' URL parameter — a strong indicator of CVE-2021-20078 exploitation attempts against the Spark Gateway component. ↗
- →Monitor for creation of unexpected *.rdpv files at the filesystem root (e.g., C:\<name>.rdpv) on Windows OpManager hosts, which indicates the Spark Gateway path traversal was triggered. ↗
- →Alert on OpManager (SYSTEM-privileged process) initiating recursive directory deletion operations starting from high-level filesystem paths (e.g., C:\), which is the destructive payload of this vulnerability. ↗
- →Flag HTTP/WebSocket requests where the 'server' parameter contains dot-dot-slash traversal sequences targeting the Spark Gateway RDP endpoint; the recordingFile path is controlled via this parameter. ↗
- ·The vulnerability is unauthenticated — no credentials are required to exploit it, meaning perimeter authentication controls alone are insufficient to block exploitation. ↗
- ·The recordingFile itself (e.g., C:\AAA.rdpv) will NOT be deleted because it is in use at the time of deletion; however, all other files and sub-directories under its containing directory are at risk of deletion. ↗
- ·Affected scope is ManageEngine OpManager builds below 125346; ensure the build version is confirmed before applying detection rules to avoid false positives on patched instances. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
nvdv2.09.4CRITICALAV:N/AC:L/Au:N/C:N/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
2021-04-01
Published