CVE-2021-3287
published 2021-04-22CVE-2021-3287: Zoho ManageEngine OpManager before 12.5.329 allows unauthenticated Remote Code Execution due to a general bypass in the deserialization class.
PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
51.33%
98.8th percentile
Zoho ManageEngine OpManager before 12.5.329 allows unauthenticated Remote Code Execution due to a general bypass in the deserialization class.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | manageengine_opmanager | < 12.5 | 12.5 |
| zohocorp | manageengine_opmanager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerable endpoint is the Smart Update Manager (SumPDU) HTTP endpoint, which accepts and deserializes arbitrary Java objects without authentication. Monitor for unexpected POST requests to this endpoint from unauthenticated sources. ↗
- →Exploitation results in OS command execution as NT AUTHORITY\SYSTEM (Windows) or root (Linux). Look for child processes spawned by the OpManager service process with suspicious command-line arguments. ↗
- →The build number is present in the logon page body (regex: cachestart/VERSION/cacheend). Use this to fingerprint vulnerable instances (build < 12.5.329) during threat hunting or asset discovery. ↗
- →Versions prior to 12.3.238 are technically vulnerable but the serialized payload is incompatible with the public exploit module — do not assume absence of exploitation risk for those versions. ↗
- ·The vulnerability is a general bypass in the deserialization class, meaning it is unauthenticated — no session or credentials are required to trigger RCE. Perimeter controls blocking unauthenticated access to the OpManager web interface are a critical mitigation. ↗
- ·Other Zoho products built on top of OpManager are also affected by this vulnerability, broadening the attack surface beyond standalone OpManager deployments. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9342-c88m-74xw: Zoho ManageEngine OpManager before 12
ghsa_unreviewed·2022-05-24
CVE-2021-3287 [CRITICAL] CWE-502 GHSA-9342-c88m-74xw: Zoho ManageEngine OpManager before 12
Zoho ManageEngine OpManager before 12.5.329 allows unauthenticated Remote Code Execution due to a general bypass in the deserialization class.
VulnCheck
Zoho manageengine_opmanager Deserialization of Untrusted Data
vulncheck·2021·CVSS 9.8
CVE-2021-3287 [CRITICAL] Zoho manageengine_opmanager Deserialization of Untrusted Data
Zoho manageengine_opmanager Deserialization of Untrusted Data
Zoho ManageEngine OpManager before 12.5.329 allows unauthenticated Remote Code Execution due to a general bypass in the deserialization class.
Affected: Zoho manageengine_opmanager
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-13&host_type=src&vulnerability=cve-2021-3287; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-09-12&host_type=src&vulnerability=cve-2021-3287; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-09-13&host_type=src&vulne
No detection rules found.
Nuclei
Zoho ManageEngine OpManager < 12.5.329 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2021-3287 [CRITICAL] Zoho ManageEngine OpManager < 12.5.329 - Remote Code Execution
Zoho ManageEngine OpManager = 125000')"
- "contains(body, 'ManageEngine')"
condition: and
extractors:
- type: regex
part: body
group: 1
name: version
regex:
- 'cachestart\/([0-9.]+)\/cacheend'
# digest: 490a0046304402207555504467851f8dcc8cd0de47285022e57ff0d013aa64b4b0f7af66ed9813b1022027353c4daba190fc318727d0b5f79d5f2dc402da5b979170078d54b346501049:922c64590222798bb761d5b6d8e72950
Metasploit
ManageEngine OpManager SumPDU Java Deserialization
metasploit
ManageEngine OpManager SumPDU Java Deserialization
ManageEngine OpManager SumPDU Java Deserialization
An HTTP endpoint used by the Manage Engine OpManager Smart Update Manager component can be leveraged to deserialize an arbitrary Java object. This can be abused by an unauthenticated remote attacker to execute OS commands in the context of the OpManager application (NT AUTHORITY\SYSTEM on Windows or root on Linux). This vulnerability is also present in other products that are built on top of the OpManager application. This vulnerability affects OpManager versions 12.1 - 12.5.328. Automatic CVE selection only works for newer targets when the build number is present in the logon page. Due to issues with the serialized payload this module is incompatible with versions prior to 12.3.238 despite them technically being vulnerable.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/164231/ManageEngine-OpManager-SumPDU-Java-Deserialization.htmlhttps://www.manageengine.com/network-monitoring/help/read-me-complete.html#125329http://packetstormsecurity.com/files/164231/ManageEngine-OpManager-SumPDU-Java-Deserialization.htmlhttps://www.manageengine.com/network-monitoring/help/read-me-complete.html#125329
2021-04-22
Published
Exploited in the wild