Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
attackerkbAttackerKBAKB:0F5907F8-AD8E-4FBE-B1C8-67F94A5257EE
HistoryAug 04, 2017 - 12:00 a.m.

CVE-2015-9107

2017-08-0400:00:00
attackerkb.com
9

EPSS

0.001

Percentile

46.5%

JSON

Zoho ManageEngine OpManager 11 through 12.2 uses a custom encryption algorithm to protect the credential used to access the monitored devices. The implemented algorithm doesn’t use a per-system key or even a salt; therefore, it’s possible to create a universal decryptor.

Recent assessments:

theguly at February 28, 2020 5:05pm UTC reported:

disclaimer: CVE owner here.

because of what opmanager needs to operate, a successful exploitation will give an attacker very often privileges access to lot of network device and system.
this lead to lot of lateral movement and juicy owning.

i didn’t have the chance to test on later version, but given vendors reply i think also recent one are vulnerable.

p.s.: i’m rating exploitability as medium because an attacker has to exploit another sql injection vulnerability to dump the database. even if opmanager has a poor security history, this vulnerability by itself isn’t straightforwardly exploitable.

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 3

Related

prion 1
nvd 1
cvelist 1
cve 1
openvas 1
prion
prion
Design/Logic Flaw
2017-08-04 00:29:00
nvd
nvd
CVE-2015-9107
2017-08-04 00:29:00
cvelist
cvelist
CVE-2015-9107
2017-08-04 00:00:00
cve
cve
CVE-2015-9107
2017-08-04 00:29:00
openvas
openvas
ManageEngine OpManager 11 - 12.2 Weak Encryption Algorithm Vulnerability
2017-08-07 00:00:00

EPSS

0.001

Percentile

46.5%

JSON
Related for AKB:0F5907F8-AD8E-4FBE-B1C8-67F94A5257EE
prion1nvd1cvelist1cve1openvas1