CVE-2022-36923
published 2022-08-10CVE-2022-36923: Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27…
PriorityP181high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
7.93%
94.0th percentile
Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27 through 2022-07-28 (125657, 126002, 126104, and 126118) allow unauthenticated attackers to obtain a user's API key, and then access external APIs.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | manageengine_firewall_analyzer | — | — |
| zohocorp | manageengine_firewall_analyzer | — | — |
| zohocorp | manageengine_netflow_analyzer | — | — |
| zohocorp | manageengine_netflow_analyzer | — | — |
| zohocorp | manageengine_network_configuration_manager | — | — |
| zohocorp | manageengine_network_configuration_manager | — | — |
| zohocorp | manageengine_opmanager | — | — |
| zohocorp | manageengine_opmanager | — | — |
| zohocorp | manageengine_opmanager_msp | — | — |
| zohocorp | manageengine_opmanager_msp | — | — |
| zohocorp | manageengine_opmanager_plus | — | — |
| zohocorp | manageengine_opmanager_plus | — | — |
| zohocorp | manageengine_oputils | — | — |
| zohocorp | manageengine_oputils | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandoperation=getUserAPIKey&username=admin&domainname=-&HANDSHAKE_KEY=pppppppppppppppppppppppppppppppppppp↗
- →Detect unauthenticated POST requests to /RestAPI/getAPIKey with body containing 'operation=getUserAPIKey' and a fixed/dummy HANDSHAKE_KEY value (e.g. repeated 'p' characters), indicating exploitation of the authentication bypass. ↗
- →A successful exploitation response is exactly 34 bytes, returns HTTP 200, matches a hex string pattern ([0-9a-f]+), and sets the cookie 'opmcsrfcookie='. Monitor for these response characteristics to confirm API key leakage. ↗
- →The vulnerability affects Zoho ManageEngine products before build numbers 125657, 126002, 126104, and 126118 (patched 2022-07-27 through 2022-07-28). Verify installed build version to assess exposure. ↗
- ·The Nuclei template targets the endpoint with 'username=admin' hardcoded; real-world attackers may enumerate other usernames. Detection rules should not be limited to the 'admin' username in the POST body. ↗
- ·The HANDSHAKE_KEY value used in the PoC ('pppppppppppppppppppppppppppppppppppp') is a dummy/bypass value; the vulnerability allows any value to succeed, so detection should focus on the endpoint and operation parameter rather than a specific HANDSHAKE_KEY. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hc4f-4mvr-7cv9: Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 202
ghsa_unreviewed·2022-08-11
CVE-2022-36923 [HIGH] CWE-284 GHSA-hc4f-4mvr-7cv9: Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 202
Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27 through 2022-07-28 (125657, 126002, 126104, and 126118) allow unauthenticated attackers to obtain a user's API key, and then access external APIs.
VulnCheck
Zoho manageengine_firewall_analyzer Improper Handling of Exceptional Conditions
vulncheck·2022·CVSS 7.5
CVE-2022-36923 [HIGH] Zoho manageengine_firewall_analyzer Improper Handling of Exceptional Conditions
Zoho manageengine_firewall_analyzer Improper Handling of Exceptional Conditions
Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27 through 2022-07-28 (125657, 126002, 126104, and 126118) allow unauthenticated attackers to obtain a user's API key, and then access external APIs.
Affected: Zoho manageengine_firewall_analyzer
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-17&host_type=src&vulnerability=cve-2022-36923; https://dashboard.shadowserver.org/statistics/honey
No detection rules found.
Nuclei
Zoho ManageEngine - getUserAPIKey Authentication Bypass
nuclei·CVSS 7.5
CVE-2022-36923 [HIGH] Zoho ManageEngine - getUserAPIKey Authentication Bypass
Zoho ManageEngine - getUserAPIKey Authentication Bypass
Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27 through 2022-07-28 (125657, 126002, 126104, and 126118) allow unauthenticated attackers to obtain a user's API key, and then access external APIs.
Template:
id: CVE-2022-36923
info:
name: Zoho ManageEngine - getUserAPIKey Authentication Bypass
author: daffainfo,jjcho
severity: high
description: |
Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27 through 2022-07-28 (125657, 126002, 126104, and 126118) allow unauthenticated attackers to obtain a user's API key, and then a
No writeups or analysis indexed.
2022-08-10
Published
Exploited in the wild