CVE-2020-28653 : Zoho ManageEngine OpManager Stable build before 125203 (and Released build befor

Zoho ManageEngine OpManager Stable build before 125203 (and Released build before 125233) allows Remote Code Execution via the Smart Update Manager (SUM) servlet.

Published 2021-02-03 16:15:14

Updated 2022-04-18 15:23:31

Source MITRE

View at NVD, CVE.org

Vulnerability category: Execute code

Products affected by CVE-2020-28653

Zohocorp » Manageengine Opmanager
Versions before (<) 12.5
cpe:2.3:a:zohocorp:manageengine_opmanager:*:*:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125000
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125000:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125002
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125002:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125100
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125100:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125101
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125101:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125102
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125102:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125108
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125108:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125110
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125110:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125111
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125111:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125112
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125112:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125113
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125113:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125114
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125114:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125116
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125116:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125117
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125117:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125118
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125118:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125120
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125120:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125121
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125121:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125123
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125123:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125124
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125124:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125125
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125125:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125136
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125136:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125137
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125137:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125139
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125139:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125140
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125140:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125143
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125143:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125144
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125144:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125145
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125145:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125156
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125156:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125157
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125157:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125158
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125158:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125159
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125159:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125161
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125161:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125163
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125163:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125174
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125174:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125175
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125175:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125176
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125176:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125177
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125177:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125178
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125178:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125180
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125180:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125181
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125181:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125192
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125192:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125193
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125193:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125194
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125194:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125195
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125195:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125196
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125196:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125197
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125197:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125198
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125198:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125201
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125201:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125204
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125204:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125212
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125212:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125213
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125213:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125214
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125214:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125215
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125215:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125216
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125216:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125228
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125228:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125229
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125229:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125230
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125230:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125231
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125231:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Opmanager » Version: 12.5 Update Build125232
cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125232:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2020-28653

EPSS FAQ

82.16%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 99 %

Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2020-28653

ManageEngine OpManager SumPDU Java Deserialization

Disclosure Date: 2021-07-26

First seen: 2022-12-23

exploit/multi/http/opmanager_sumpdu_deserialization

An HTTP endpoint used by the Manage Engine OpManager Smart Update Manager component can be leveraged to deserialize an arbitrary Java object. This can be abused by an unauthenticated remote attacker to execute OS commands in the context of the OpManager application (NT

More information

CVSS scores for CVE-2020-28653

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

References for CVE-2020-28653

https://www.manageengine.com/network-monitoring/help/read-me-complete.html#125233

Read me | OpManager Help
Release Notes;Vendor Advisory
https://www.manageengine.com/network-monitoring/help/read-me-complete.html#125203

Read me | OpManager Help
Release Notes;Vendor Advisory
http://packetstormsecurity.com/files/164231/ManageEngine-OpManager-SumPDU-Java-Deserialization.html

ManageEngine OpManager SumPDU Java Deserialization ≈ Packet Storm
Exploit;Third Party Advisory;VDB Entry

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2020-28653

Products affected by CVE-2020-28653

Exploit prediction scoring system (EPSS) score for CVE-2020-28653

Metasploit modules for CVE-2020-28653

ManageEngine OpManager SumPDU Java Deserialization

CVSS scores for CVE-2020-28653

References for CVE-2020-28653