cbcvebase.
CVE-2022-36923
published 2022-08-10

CVE-2022-36923: Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27…

PriorityP181high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
7.93%
94.0th percentile
Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27 through 2022-07-28 (125657, 126002, 126104, and 126118) allow unauthenticated attackers to obtain a user's API key, and then access external APIs.

Affected

14 ranges
VendorProductVersion rangeFixed in
zohocorpmanageengine_firewall_analyzer
zohocorpmanageengine_firewall_analyzer
zohocorpmanageengine_netflow_analyzer
zohocorpmanageengine_netflow_analyzer
zohocorpmanageengine_network_configuration_manager
zohocorpmanageengine_network_configuration_manager
zohocorpmanageengine_opmanager
zohocorpmanageengine_opmanager
zohocorpmanageengine_opmanager_msp
zohocorpmanageengine_opmanager_msp
zohocorpmanageengine_opmanager_plus
zohocorpmanageengine_opmanager_plus
zohocorpmanageengine_oputils
zohocorpmanageengine_oputils

Detection & IOCsextracted from sources · hover to see the quote

url/RestAPI/getAPIKey
commandoperation=getUserAPIKey&username=admin&domainname=-&HANDSHAKE_KEY=pppppppppppppppppppppppppppppppppppp
cookieopmcsrfcookie=
  • Detect unauthenticated POST requests to /RestAPI/getAPIKey with body containing 'operation=getUserAPIKey' and a fixed/dummy HANDSHAKE_KEY value (e.g. repeated 'p' characters), indicating exploitation of the authentication bypass.
  • A successful exploitation response is exactly 34 bytes, returns HTTP 200, matches a hex string pattern ([0-9a-f]+), and sets the cookie 'opmcsrfcookie='. Monitor for these response characteristics to confirm API key leakage.
  • The vulnerability affects Zoho ManageEngine products before build numbers 125657, 126002, 126104, and 126118 (patched 2022-07-27 through 2022-07-28). Verify installed build version to assess exposure.
  • ·The Nuclei template targets the endpoint with 'username=admin' hardcoded; real-world attackers may enumerate other usernames. Detection rules should not be limited to the 'admin' username in the POST body.
  • ·The HANDSHAKE_KEY value used in the PoC ('pppppppppppppppppppppppppppppppppppp') is a dummy/bypass value; the vulnerability allows any value to succeed, so detection should focus on the endpoint and operation parameter rather than a specific HANDSHAKE_KEY.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.