Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2022-36923

CWE-755 — Improper Exception Handling CWE-284 — Improper Access Control5 documents5 sources

Severity

7.5HIGH

EPSS

32.5%

top 3.14%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Zohocorp Manageengine Firewall Analyzer Zohocorp Manageengine Netflow Analyzer Zohocorp Manageengine Network Configuration Manager +4 more

Timeline

PublishedAug 10

Latest updateAug 11

Description

Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27 through 2022-07-28 (125657, 126002, 126104, and 126118) allow unauthenticated attackers to obtain a user's API key, and then access external APIs.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages7 packages

▶NVDzohocorp/manageengine_opmanager_plus12.5, 12.6+1

▶NVDzohocorp/manageengine_opmanager12.5, 12.6+1

▶NVDzohocorp/manageengine_opmanager_msp12.5, 12.6+1

▶NVDzohocorp/manageengine_netflow_analyzer12.5, 12.6+1

▶NVDzohocorp/manageengine_firewall_analyzer12.5, 12.6+1

🔴Vulnerability Details

GHSA

GHSA-hc4f-4mvr-7cv9: Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 202↗2022-08-11

▶

CVEList

CVE-2022-36923: Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 202↗2022-08-10

▶

VulnCheck

Zoho manageengine_firewall_analyzer Improper Handling of Exceptional Conditions↗2022

▶

💥Exploits & PoCs

Nuclei

Zoho ManageEngine - getUserAPIKey Authentication Bypass

▶