Local Privilege Escalation in Zoho ManageEngine Products
CVE-2019-12133

7.8HIGH

Key Information:

Vendor: Zohocorp
Status: Manageengine Opmanager; Manageengine Desktop Central; Manageengine Eventlog Analyzer; Manageengine Servicedesk Plus
Vendor: CVE Published:; 18 June 2019

What is CVE-2019-12133?

Multiple products within Zoho ManageEngine are susceptible to local privilege escalation due to inadequate permissions set for the ManageEngine directory and its subdirectories. This flaw allows non-privileged users to exploit services that execute binaries, such as sc.exe, from the current directory during system startup, enabling them to elevate their privileges to NT AUTHORITY\SYSTEM. This poses serious security risks and can lead to unauthorized access to sensitive data and system resources.

References

https://www.manageengine.com/products/desktop-central/ele...

x_refsource_CONFIRM

https://github.com/active-labs/Advisories/blob/master/201...

x_refsource_MISC

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 18, 2019
Vulnerability Reserved
May 15, 2019

Zohocorp

What is CVE-2019-12133?

References

CVSS V3.1

Timeline