Cyber Resilience

CVE-2022-38772

High

Published: 29 August 2022

Published
29 August 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.3914 97.4th percentile
Risk Priority 41 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-38772 is a high-severity an unspecified weakness vulnerability in Zohocorp Manageengine Opmanager. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 2.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils versions prior to 125658, 126003, 126105, and 126120 contain a vulnerability that permits authenticated users to alter database entries, resulting in remote code execution through the NMAP feature. The issue carries a CVSS 3.1 score of 8.8 and affects multiple ManageEngine IT operations management products that share the same underlying code base.

An attacker with valid low-privileged credentials can exploit the flaw over the network without user interaction to modify database records and trigger arbitrary code execution, achieving full compromise of confidentiality, integrity, and availability on the affected server.

Vendor advisories published at manageengine.com and https://www.manageengine.com/itom/advisory/cve-2022-38772.html direct customers to apply the listed fixed builds to eliminate the database modification path that leads to NMAP-based code execution.

The associated EPSS score has remained flat at its peak value of 0.3914 since disclosure, indicating no material increase in observed exploitation interest.

EU & UK References

Vulnerability details

Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils before 125658, 126003, 126105, and 126120 allow authenticated users to make database changes that lead to remote code execution in the NMAP feature.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

zohocorp
manageengine netflow analyzer
12.5, 12.6
zohocorp
manageengine network configuration manager
12.5, 12.6
zohocorp
manageengine opmanager
12.5, 12.6
zohocorp
manageengine opmanager msp
12.5, 12.6
zohocorp
manageengine opmanager plus
12.5, 12.6
zohocorp
manageengine oputils
12.5, 12.6

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References