CVE-2015-7766
60Vexday Risk Score
Patch soon. It has a working public exploit.
ssvc Attendepss 81%
from disclosure to weapon0 days
Published on NVDOct 9
1st PoCSep 17
metasploitSep 14
exploitation probability
81%top 1% of all CVEs
observed exploitation
nono source reports it
3 public exploit(s)
PGSQL:SubmitQuery.do in ZOHO ManageEngine OpManager 11.6, 11.5, and earlier allows remote administrators to bypass SQL query restrictions via a comment in the query to api/json/admin/SubmitQuery, as demonstrated by "INSERT/**/INTO."
Affected products
n/a · n/apublic PoCs found — 3
cve_referencepacketstormsecurity.com/files/133596/ManageEngine-OpManager-Remote-Code-Execution.htmlunverifiedcve_referencewww.exploit-db.com/exploits/38221/unverifiedexploitdbwww.exploit-db.com/exploits/38221unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
References
http://packetstormsecurity.com/files/133596/ManageEngine-OpManager-Remote-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2015/Sep/66https://support.zoho.com/portal/manageengine/helpcenter/articles/pgsql-submitquery-do-vulnerabilityhttps://www.exploit-db.com/exploits/38221/http://www.rapid7.com/db/modules/exploit/windows/http/manage_engine_opmanager_rce