Zoho ManageEngine OpManager 11 through 12.2 uses a custom encryption algorithm to protect the credential used to access the monitored devices. The implemented algorithm doesn’t use a per-system key or even a salt; therefore, it’s possible to create a universal decryptor.
Recent assessments:
theguly at February 28, 2020 5:05pm UTC reported:
disclaimer: CVE owner here.
because of what opmanager needs to operate, a successful exploitation will give an attacker very often privileges access to lot of network device and system.
this lead to lot of lateral movement and juicy owning.
i didn’t have the chance to test on later version, but given vendors reply i think also recent one are vulnerable.
p.s.: i’m rating exploitability as medium because an attacker has to exploit another sql injection vulnerability to dump the database. even if opmanager has a poor security history, this vulnerability by itself isn’t straightforwardly exploitable.
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 3