CVE-2021-3287

CRITICAL EXPLOITED NUCLEI

ManageEngine OpManager SumPDU Java Deserialization

Title source: metasploit

Exploitation Summary

CVE-2021-3287 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including Johannes Moritz, Robin Peraglie, Spencer McIntyre, including a Metasploit module exploits/multi/http/opmanager_sumpdu_deserialization. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits a Java deserialization vulnerability in ManageEngine OpManager's Smart Update Manager component, allowing unauthenticated remote code execution (RCE) as NT AUTHORITY\SYSTEM on Windows or root on Linux. It supports multiple payload types and includes version detection to target either CVE-2020-28653 or CVE-2021-3287.

Description

Zoho ManageEngine OpManager before 12.5.329 allows unauthenticated Remote Code Execution due to a general bypass in the deserialization class.

Exploits (1)

metasploit WORKING POC EXCELLENT

by Johannes Moritz, Robin Peraglie, Spencer McIntyre · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/opmanager_sumpdu_deserialization.rb

View Code ZIP pw:eip

This Metasploit module exploits a Java deserialization vulnerability in ManageEngine OpManager's Smart Update Manager component, allowing unauthenticated remote code execution (RCE) as NT AUTHORITY\SYSTEM on Windows or root on Linux. It supports multiple payload types and includes version detection to target either CVE-2020-28653 or CVE-2021-3287.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: ManageEngine OpManager versions 12.1 - 12.5.328

No auth needed

Prerequisites: Network access to port 8060 · Vulnerable version of ManageEngine OpManager

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 30, 2026 Full analysis →

Nuclei Templates (1)

Zoho ManageEngine OpManager < 12.5.329 - Remote Code Execution

CRITICALVERIFIEDby theamanrawat

Shodan: http.title:"opmanager plus" || http.title:"opmanager"

FOFA: title="opmanager plus" || title="opmanager"

References (2)

Core 2

Core References

Release Notes, Vendor Advisory x_refsource_misc

https://www.manageengine.com/network-monitoring/help/read-me-complete.html#125329

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/164231/ManageEngine-OpManager-SumPDU-Java-Deserialization.html

Scores

CVSS v3 9.8

EPSS 0.5133

EPSS Percentile 98.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2024-01-13

CWE

CWE-502

Status published

Products (1)

zohocorp/manageengine_opmanager 12.5 (50 CPE variants)

Published Apr 22, 2021

Tracked Since Feb 18, 2026