Lucene search
Piotr Bazydlo (@chudypb) of Trend Micro Zero Day InitiativeZDI-22-1181HistorySep 01, 2022 - 12:00 a.m.
ManageEngine OpManager Plus getNmapInitialOption Command Injection Remote Code Execution Vulnerability
2022-09-0100:00:00
Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative
www.zerodayinitiative.com
10
manageengine opmanager plus
command injection
remote code execution
vulnerability
authentication
getnmapinitialoption
system call
user-supplied string
context of system
0.009 Low
EPSS
Percentile
82.4%
This vulnerability allows remote attackers to execute arbitrary code on affected installations of ManageEngine OpManager Plus. Authentication is required to exploit this vulnerability. The specific flaw exists within the getNmapInitialOption function. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.
Related
cvelist
cvelist
CVE-2022-38772
2022-08-29 20:21:57
zdi
zdi
nvd
nvd
CVE-2022-38772
2022-08-29 21:15:09
cve
cve
CVE-2022-38772
2022-08-29 21:15:09
prion
prion
Code injection
2022-08-29 21:15:00