CVE-2018-7890

CRITICAL

Zoho ManageEngine Applications Manager <13.6 - Command Injection

Title source: llm

Description

A remote code execution issue was discovered in Zoho ManageEngine Applications Manager before 13.6 (build 13640). The publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials by accessing a specified system. This endpoint calls several internal classes, and then executes a PowerShell script. If the specified system is OfficeSharePointServer, then the username and password parameters to this script are not validated, leading to Command Injection.

Exploits (2)

exploitdb WORKING POC

by Mehmet Ince · rubywebappsjava

https://www.exploit-db.com/exploits/44274

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by Mehmet Ince <[email protected]> · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/manageengine_appmanager_exec.rb

View Code ZIP pw:eip

References (6)

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/103358

[Exploit, Third Party Advisory] https://github.com/rapid7/metasploit-framework/pull/9684

[Exploit, Technical Description, Third Party Advisory] https://pentest.blog/advisory-manageengine-applications-manager-remote-code-execution-sqli-and/

[Third Party Advisory] https://pitstop.manageengine.com/portal/community/topic/security-vulnerability-issues-fixed-upgrade-to-the-latest-version-of-applications-manager

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/44274/

[Various Sources] https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2018-7890.html

Scores

CVSS v3 9.8

EPSS 0.8628

EPSS Percentile 99.4%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (1)

zohocorp/manageengine_applications_manager < 13.6

Published Mar 08, 2018

Tracked Since Feb 18, 2026