Multiple zero-day vulnerabilities found in ManageEngine products


Digital Defense uncovered multiple, previously undisclosed vulnerabilities within several Zoho ManageEngine products.

ManageEngine offers more than 90 tools to help manage IT operations, including networks, servers, applications, service desk, Active Directory, security, desktops, and mobile devices. Currently, the company claims to have more than 40,000 customers, including three out of every five Fortune 500 company.

Vulnerability impact

The discovered vulnerabilities allow unauthenticated file upload, blind SQL injection, authenticated remote code execution and user enumeration, potentially revealing sensitive information or full compromise of the application.

Affected applications include: ServiceDesk Plus, Service Plus MSP, OpManager, Firewall Analyzer, Network Configuration Manager, OpUtils and NetFlow Analyzer.


  • DDI-VRT-2018-01 – Unauthenticated File Upload via /servlets/CmClientUtilServlet
  • DDI-VRT-2018-02 – Unauthenticated Blind SQL Injection via /servlets/RegisterAgent
  • DDI-VRT-2018-03 – Unauthenticated Blind SQL Injection via /servlets/StatusUpdateServlet and /servlets/AgentActionServlet
  • DDI-VRT-2018-04 – Multiple Unauthenticated Blind SQL Injections via /embedWidget
  • DDI-VRT-2018-05 – Unauthenticated XML External Entity Injection via /SNMPDiscoveryURL
  • DDI-VRT-2018-06 – Unauthenticated Blind SQL Injection via /unauthenticatedservlets/ELARequestHandler and /unauthenticatedservlets/NPMRequestHandler
  • DDI-VRT-2018-07 – User Enumeration via /servlets/ConfServlet.

What you can do

Zoho ManageEngine has addressed the vulnerabilities and is making patches […]

To read the original article:


Laisser un commentaire

Next Post

Another South Carolina School District Attacked With Ransomware

Ransomware Attacks Third South Carolina School District Over the last year, three different ransomware attacks have successfully infected three different South Carolina school districts.  The first reports of Horry County Schools being riddled with ransomware came in February of 2016.  That school district gained approval to pay the $8,500 ransom […]