CVE-2018-17283

HIGH EXPLOITED NUCLEI

Zoho ManageEngine OpManager <12.3 Build 123196 - SQL Injection

Title source: llm

Description

Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged against Firewall Analyzer to add an admin user via /api/json/v2/admin/addUser or conduct a SQL Injection attack via the /api/json/device/setManaged name parameter.

Nuclei Templates (1)

Zoho ManageEngine OpManager - SQL Injection

HIGHVERIFIEDby DhiyaneshDK

Shodan: http.title:"OpManager"

FOFA: title="OpManager"

References (2)

[Exploit, Third Party Advisory] https://github.com/x-f1v3/ForCve/issues/4

[Vendor Advisory] https://www.manageengine.com/network-monitoring/help/read-me.html

Scores

CVSS v3 7.5

EPSS 0.2786

EPSS Percentile 96.5%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

VulnCheck KEV 2024-01-06

CWE

CWE-89

Status published

Products (1)

zohocorp/manageengine_opmanager < 12.3

Published Sep 21, 2018

Tracked Since Feb 18, 2026