cbcvebase.
CVE-2021-20078
published 2021-04-01

CVE-2021-20078: Manage Engine OpManager builds below 125346 are vulnerable to a remote denial of service vulnerability due to a path traversal issue in spark gateway…

PriorityP264critical9.1CVSS 3.1
AVNACLPRNUINSUCNIHAH
EPSS
60.37%
99.0th percentile
Manage Engine OpManager builds below 125346 are vulnerable to a remote denial of service vulnerability due to a path traversal issue in spark gateway component. This allows a remote attacker to remotely delete any directory or directories on the OS.

Affected

2 ranges
VendorProductVersion rangeFixed in
zohocorpmanageengine_opmanager< 12.512.5
zohocorpmanageengine_opmanager

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://<host>:7275/RDP?server=../../../../../../../..//AAA&width=1440&height=788
port7275
path/RDP
filenameC:\AAA.rdpv
  • Detect unauthenticated WebSocket upgrade requests to port 7275 on the path /RDP containing path traversal sequences (e.g., '../') in the 'server' URL parameter — a strong indicator of CVE-2021-20078 exploitation attempts against the Spark Gateway component.
  • Monitor for creation of unexpected *.rdpv files at the filesystem root (e.g., C:\<name>.rdpv) on Windows OpManager hosts, which indicates the Spark Gateway path traversal was triggered.
  • Alert on OpManager (SYSTEM-privileged process) initiating recursive directory deletion operations starting from high-level filesystem paths (e.g., C:\), which is the destructive payload of this vulnerability.
  • Flag HTTP/WebSocket requests where the 'server' parameter contains dot-dot-slash traversal sequences targeting the Spark Gateway RDP endpoint; the recordingFile path is controlled via this parameter.
  • ·The vulnerability is unauthenticated — no credentials are required to exploit it, meaning perimeter authentication controls alone are insufficient to block exploitation.
  • ·The recordingFile itself (e.g., C:\AAA.rdpv) will NOT be deleted because it is in use at the time of deletion; however, all other files and sub-directories under its containing directory are at risk of deletion.
  • ·Affected scope is ManageEngine OpManager builds below 125346; ensure the build version is confirmed before applying detection rules to avoid false positives on patched instances.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
nvdv2.09.4CRITICALAV:N/AC:L/Au:N/C:N/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.