PT-2018-5088 · Zoho · Zoho Manageengine Applications Manager

Lukasz Juszczyk

Published

2018-07-13

Updated

2019-10-09

CVE-2016-9498

CVSS v3.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions ManageEngine Applications Manager versions 12 through 13 before build 13200

Description The issue allows unserialization of unsafe Java objects, which can be exploited by a remote user without authentication. This enables the execution of remote code, compromising both the application and the operating system. Since the RMI registry of the Application Manager runs with system administrator privileges, exploiting this issue grants an attacker the highest privileges on the underlying operating system.

Recommendations For ManageEngine Applications Manager versions 12 through 13 before build 13200, update to build 13200 or later to resolve the issue.

Fix

RCE

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

CVE-2016-9498

Affected Products

Zoho Manageengine Applications Manager

PT-2018-5088 · Zoho · Zoho Manageengine Applications Manager

CVE-2016-9498

Weakness Enumeration

Related Identifiers

Affected Products

References · 5