cbcvebase.
CVE-2023-47211
published 2024-01-08

CVE-2023-47211: A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to…

PriorityP272high8.6CVSS 3.1
AVNACLPRNUINSCCNIHAN
EXPLOIT
EPSS
47.02%
98.7th percentile
A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send a malicious MiB file to trigger this vulnerability.

Affected

16 ranges
VendorProductVersion rangeFixed in
linuxlinux_kernel>= 0 < 4.4.0-269.3034.4.0-269.303
manageengineopmanager
zohocorpmanageengine_firewall_analyzer< 12.712.7
zohocorpmanageengine_firewall_analyzer
zohocorpmanageengine_netflow_analyzer< 12.712.7
zohocorpmanageengine_netflow_analyzer
zohocorpmanageengine_network_configuration_manager< 12.712.7
zohocorpmanageengine_network_configuration_manager
zohocorpmanageengine_opmanager< 12.712.7
zohocorpmanageengine_opmanager
zohocorpmanageengine_opmanager_msp< 12.712.7
zohocorpmanageengine_opmanager_msp
zohocorpmanageengine_opmanager_plus< 12.712.7
zohocorpmanageengine_opmanager_plus
zohocorpmanageengine_oputils< 12.712.7
zohocorpmanageengine_oputils

Detection & IOCsextracted from sources · hover to see the quote

url/client/api/json/mibbrowser/uploadMib
path../images/karas
filenamekaras.txt
cookieopmcsrfcookie
otherX-ZCSRF-TOKEN: opmcsrftoken=<token>
  • Detect exploitation attempts by matching POST requests to /client/api/json/mibbrowser/uploadMib with a multipart body containing path traversal sequences (e.g., '../') in the MIB filename or file content.
  • A successful exploitation attempt returns HTTP 200 with Content-Type application/json and the body containing the string 'MIBFile with same name already exists', indicating the traversal-named file was already written.
  • Monitor for the presence of the X-ZCSRF-TOKEN header with value pattern 'opmcsrftoken=<50+ char token>' in POST requests to the uploadMib endpoint, indicating an authenticated traversal attempt.
  • Look for multipart/form-data uploads to OpManager where the MIB file content begins with a path traversal string such as '../images/' rather than a valid MIB module name.
  • Shodan/FOFA fingerprint for exposed OpManager instances: search for HTTP title 'OpManager Plus' to identify attack surface.
  • ·The vulnerability is confirmed on ManageEngine OpManager version 12.7.258 specifically; other versions may or may not be affected.
  • ·The CSRF token (opmcsrfcookie) must be at least 50 characters long and is extracted from the Set-Cookie response header after login; detections relying on static token values will not work.

CVSS provenance

nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
osv5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.