ZOHO Corp. ManageEngine OpManager SQL Injection Vulnerability

Photograph of ZOHO Corp. Building

When it comes to software vulnerabilities, that is security flaws that are exploitable by cyber-attackers, even IT industry market leaders (no matter the sector) are not impervious to cybersecurity shortcomings. Software vulnerabilities can also be reported containing singular or multiple flaws, where multiple cases mean more work for security developers. Recently, multiple software vulnerabilities have been registered more frequently, it seems.

As technology evolves exponentially with AI and 5G slowly becoming the norm, the time to consider ramping up cybersecurity across the industry is at hand. Simply put, the more complex the technology, implemented across more and more platforms, the more chance there is for error and the more opportunity there is for cybercriminals.

Why So Many Software Vulnerabilities?

When it comes to software vulnerabilities, the last decade has been marked by a paper sent to the IEEE (Institute of Electrical and Electronics Engineers) as ‘A Decade of Reocurring Software Weaknesses.’ According to this research paper, “In 2020, there were over 18 000 documented software vulnerabilities [1] that enable malicious activity.” Furthermore, the paper also posits that the cybersecurity standard for software vulnerabilities is not really there yet, “It is challenging to catch up with hackers; they need to find only one weak spot, while we (the community) have to defend entire systems. New doors also get opened (e.g., in recent years Object Deserialization injection). Nevertheless, the results of this study show that either we are incapable of correcting the most common software flaws, or we are focusing on the wrong ones.”

The ZOHO Corp. ManageEngine OpManager Vulnerability

Yet another software vulnerability is knocking at the door. This one is affecting a ZOHO Corp product. Specifically, it affects a product belonging to ZOHO Corp. that is called the ManageEngine OpManager. ManageEngine is the ‘enterprise IT management division of ZOHO Corp.’ ZOHO Corp. (ManageEngine) is one of the leaders in IT management systems.

The software vulnerability was reported on September 3rd, 2021. A software vulnerability report concerning ZOHO Corp.’s ManageEngine OpManager was made public on the ManageEngine official web page. The vulnerability is classified as high-risk, classified with CVE ID code CVE-2021-40493. The flaw can potentially lead to dangerous remote attacker risks.

In-Depth Details

The software vulnerability affecting the ManageEngine OpManager is an SQL injection vulnerability. In-depth technical details reveal the following information; The vulnerability allows a remote user to execute arbitrary SQL queries in the database. The vulnerability exists due to insufficient sanitization of user-supplied data in the support diagnostics module. A remote user can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database. Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in the database and gain complete control over the affected application.

Vulnerable Software Versions

The software versions of ManageEngine OpManager that are vulnerable to the above issue are listed here;

ManageEngine OpManager versions; 12.5 125000, 12.5 125001, 12.5 125002, 12.5 125003, 12.5 125004, 12.5 125005, 12.5 125006, 12.5 125007, 12.5 125008, 12.5 125009, 12.5 125010, 12.5 125011,12.5 125012, 12.5 125100, 12.5 125101, 12.5 125102, 12.5 125108, 12.5 125110, 12.5 125111, 12.5 125112, 12.5 125113, 12.5 125114, 12.5 125116, 12.5 125117, 12.5 125118, 12.5 125120, 12.5 125121, 12.5 125123, 12.5 125124, 12.5 125125, 12.5 125127, 12.5 125128, 12.5 125129, 12.5 125136, 12.5 125137, 12.5 125139, 12.5 125140, 12.5 125143, 12.5 125144, 12.5 125145, 12.5 125147, 12.5 125148, 12.5 125149, 12.5 125150, 12.5 125156, 12.5 125157, 12.5 125158, 12.5 125159, 12.5 125161, 12.5 125163, 12.5 125174, 12.5 125175, 12.5 125176, 12.5 125177, 12.5 125178, 12.5 125180, 12.5 125181, 12.5 125192, 12.5 125193, 12.5 125194, 12.5 125195, 12.5 125196, 12.5 125197, 12.5 125198, 12.5 125201, 12.5 125203, 12.5 125204, 12.5 125212, 12.5 125213, 12.5 125214, 12.5 125215, 12.5 125216, 12.5 125221, 12.5 125228, 12.5 125229, 12.5 125230, 12.5 125231, 12.5 125232, 12.5 125233, 12.5 125235, 12.5 125300, 12.5 125306, 12.5 125307, 12.5 125312, 12.5 125323, 12.5 125324, 12.5 125326, 12.5 125328, 12.5 125329, 12.5 125340, 12.5 125341, 12.5 125342, 12.5 125343, 12.5 125344, 12.5 125346, 12.5 125358, 12.5 125359, 12.5 125360, 12.5 125361, 12.5 125362, 12.5 125364, 12.5 125366, 12.5 125367, 12.5 125375, 12.5 125376, 12.5 125377, 12.5 125378, 12.5 125379, 12.5 125380, 12.5 125381, 12.5 125382, 12.5 125386, 12.5 125392, 12.5 125393, 12.5 125394, 12.5 125397, 12.5 125398, 12.5 125399, 12.5 125405, 12.5 125410, 12.5 125411, 12.5 125413, 12.5 125414, 12.5 125415, 12.5 125416, 12.5 125417, 12.5 125420, 12.5 125428, 12.5 125430, 12.5 125431, 12.5 125432, 12.5 125433, 12.5 125434, 12.5 125446, 12.5 125448, 12.5 125450, 12.5 125451, 12.5 125452

Important User Information

A patch has been made available for customers/users of ZOHO Corp. ManageEngine OpManager. The software security fix should occur automatically. Alternatively, please consult ManageEngine support.

Tech researcher & communications specialist
Mirza has an education background in Global Communications, has worked in advertising, marketing, journalism and television over the years while living in several different countries. He is now working to consolidate news and outreach at VPNoverview.com, while in his free time he likes to work on documentary projects, read about sociology and write about world events.