CVE-2023-31099
published 2023-05-04CVE-2023-31099: Zoho ManageEngine OPManager through 126323 allows an authenticated user to achieve remote code execution via probe servers.
PriorityP274high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
81.56%
99.6th percentile
Zoho ManageEngine OPManager through 126323 allows an authenticated user to achieve remote code execution via probe servers.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | manageengine_opmanager | < 12.6 | 12.6 |
| zohocorp | manageengine_opmanager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/servlet/com.me.opmanager.extranet.remote.communication.fw.fe.RegionalListener
bytes
|ac ed 00 05|
bytes
|24|DataObject
bytes
|00 00 00 18|
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Zoho ManageEngine OpManager getObjectData Insecure Deserialization RCE (CVE-2023-31099)"; flow:established,to_server; pcre:"/\x0d\x0a[rR][eE][gG][iI][oO][nN][iI][dD]\x3a\s*(?P[^\x0d\x0a]+).*regReqID.*?(?P=reqid)/s"; http.uri; content:"/servlet/com.me.opmanager.extranet.remote.communication.fw.fe.RegionalListener"; fast_pattern; http.header; to_lowercase; content:"authkey|3a|"; content:"regionid|3a|"; content:"method|3a|"; http.request_body; content:"|ac ed 00 05|"; startswith; content:"|24|DataObject"; content:"|00 00 00 18|"; distance:0; content:"|78|"; distance:0; pcre:"/^[\x9c\xda]/R"; reference:url,xz.aliyun.com/news/12662; reference:cve,2023-31099; classtype:web-application-attack; sid:2066289; rev:1;)
- →Exploit traffic targets the RegionalListener servlet endpoint via HTTP POST. Look for requests to /servlet/com.me.opmanager.extranet.remote.communication.fw.fe.RegionalListener with HTTP headers containing 'authkey:', 'regionid:', and 'method:' fields.
- →The HTTP request body begins with the Java serialization magic bytes 0xAC 0xED 0x00 0x05, indicating a Java deserialization payload is being sent to the getObjectData handler.
- →The deserialized payload contains the string 'DataObject' (preceded by byte 0x24) followed by the byte sequence 0x00 0x00 0x00 0x18 and 0x78, with the next byte matching 0x9C or 0xDA (zlib compressed stream markers).
- →The exploit uses a PCRE-matched regionID value that is reflected in the regReqID field of the same request, which can be used as a correlation pattern to identify exploit attempts.
- →Exploitation requires an authenticated session (authenticated user) but leads to RCE via probe servers. Monitor for unusual outbound connections or process spawning from the ManageEngine OpManager process after requests to the RegionalListener endpoint. ↗
- ·The Snort/Suricata rule requires TLS decryption to be effective against HTTPS traffic, as indicated by the metadata tag 'tls_state TLSDecrypt' and deployment tag 'SSLDecrypt'.
- ·The vulnerability affects Zoho ManageEngine OPManager through version 126323. Ensure detection coverage is scoped to this version range. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Zoho ManageEngine OpManager getObjectData Insecure Deserialization RCE (CVE-2023-31099)
suricata·2025-12-11·CVSS 8.8
CVE-2023-31099 [HIGH] ET WEB_SPECIFIC_APPS Zoho ManageEngine OpManager getObjectData Insecure Deserialization RCE (CVE-2023-31099)
ET WEB_SPECIFIC_APPS Zoho ManageEngine OpManager getObjectData Insecure Deserialization RCE (CVE-2023-31099)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Zoho ManageEngine OpManager getObjectData Insecure Deserialization RCE (CVE-2023-31099)"; flow:established,to_server; pcre:"/\x0d\x0a[rR][eE][gG][iI][oO][nN][iI][dD]\x3a\s*(?P[^\x0d\x0a]+).*regReqID.*?(?P=reqid)/s"; http.uri; content:"/servlet/com.me.opmanager.extranet.remote.communication.fw.fe.RegionalListener"; fast_pattern; http.header; to_lowercase; content:"authkey|3a|"; content:"regionid|3a|"; content:"method|3a|"; http.request_body; content:"|ac ed 00 05|"; startswith; content:"|24|DataObject"; content:"|00 00 00 18|"; distance:0; content:"|78|"; distance:0; pcre:"/^[\x9c\xda]/R"; reference:url,xz.aliyun.c
No public exploits indexed.
No writeups or analysis indexed.
2023-05-04
Published