cbcvebase.
CVE-2021-3287
published 2021-04-22

CVE-2021-3287: Zoho ManageEngine OpManager before 12.5.329 allows unauthenticated Remote Code Execution due to a general bypass in the deserialization class.

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
51.33%
98.8th percentile
Zoho ManageEngine OpManager before 12.5.329 allows unauthenticated Remote Code Execution due to a general bypass in the deserialization class.

Affected

2 ranges
VendorProductVersion rangeFixed in
zohocorpmanageengine_opmanager< 12.512.5
zohocorpmanageengine_opmanager

Detection & IOCsextracted from sources · hover to see the quote

versionOpManager 12.1 - 12.5.328
  • The vulnerable endpoint is the Smart Update Manager (SumPDU) HTTP endpoint, which accepts and deserializes arbitrary Java objects without authentication. Monitor for unexpected POST requests to this endpoint from unauthenticated sources.
  • Exploitation results in OS command execution as NT AUTHORITY\SYSTEM (Windows) or root (Linux). Look for child processes spawned by the OpManager service process with suspicious command-line arguments.
  • The build number is present in the logon page body (regex: cachestart/VERSION/cacheend). Use this to fingerprint vulnerable instances (build < 12.5.329) during threat hunting or asset discovery.
  • Versions prior to 12.3.238 are technically vulnerable but the serialized payload is incompatible with the public exploit module — do not assume absence of exploitation risk for those versions.
  • ·The vulnerability is a general bypass in the deserialization class, meaning it is unauthenticated — no session or credentials are required to trigger RCE. Perimeter controls blocking unauthenticated access to the OpManager web interface are a critical mitigation.
  • ·Other Zoho products built on top of OpManager are also affected by this vulnerability, broadening the attack surface beyond standalone OpManager deployments.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.