Cyber Resilience

CVE-2022-37024

High

Published: 10 August 2022

Published
10 August 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.5123 97.9th percentile
Risk Priority 48 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-37024 is a high-severity an unspecified weakness vulnerability in Zohocorp Manageengine Firewall Analyzer. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 2.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils before the builds released 2022-07-29 through 2022-07-30 are affected by a vulnerability that permits authenticated users to perform database changes resulting in remote code execution. The flaw carries a CVSS 3.1 base score of 8.8.

An attacker who already possesses valid credentials on an affected installation can exploit the issue to modify database contents and ultimately achieve remote code execution on the server.

The vendor advisory at https://www.manageengine.com/itom/advisory/cve-2022-37024.html addresses the affected builds and outlines available patches. The associated EPSS score has remained at a peak and current value of 0.5123 with no material rise observed after disclosure.

EU & UK References

Vulnerability details

Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils before 2022-07-29 through 2022-07-30 ( 125658, 126003, 126105, and 126120) allow authenticated users to make database changes that lead to remote code execution.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

zohocorp
manageengine firewall analyzer
12.5, 12.6
zohocorp
manageengine netflow analyzer
12.5, 12.6
zohocorp
manageengine network configuration manager
12.5, 12.6
zohocorp
manageengine opmanager
12.5, 12.6
zohocorp
manageengine opmanager msp
12.5, 12.6
zohocorp
manageengine opmanager plus
12.5, 12.6
zohocorp
manageengine oputils
12.5, 12.6

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References