Remote code execution in Zoho ManageEngine OpManager
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2018-18475 |
| CWE-ID | CWE-434 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Zoho ManageEngine OpManager Client/Desktop applications / Other client software |
| Vendor | Zoho Corporation |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) Unrestricted file upload
EUVDB-ID: #VU15450
Risk: High
CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-18475
CWE-ID:
CWE-434 - Unrestricted Upload of File with Dangerous Type
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code with elevated privileges.
The weakness exists due to unrestricted upload of file with dangerous type. A remote attacker can upload a specially crafted file, trigger unspecified flaw and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Update to version 12.3.123214.
Vulnerable software versionsZoho ManageEngine OpManager: 12.3
CPE2.3 External linkshttp://seclists.org/fulldisclosure/2018/Oct/42
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
