Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27 through 2022-07-28 (125657, 126002, 126104, and 126118) allow unauthenticated attackers to obtain a user's API key, and then access external APIs.

The version of ManageEngine NetFlow Analyzer running on the remote web server 12.5.x prior to 12.5.657, or 12.6.x prior to 12.6.002 / 12.6.104 / 12.6.118. It is, there, affected by an authentication bypass vulnerability. Due to the lack of proper request handling an unauthenticated, remote attacker can retrieve the API key of a valid user and access external APIs.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The ManageEngine Firewall Analyzer running on the remote host is affected by an information disclosure vulnerability. An unauthenticated, remote attacker can exploit this, via a specially crafted message, to obtain a user's API key and then access the external APIs.

The version of ManageEngine OpManager running on the remote web server 12.5.x prior to 12.5.657, or 12.6.x prior to 12.6.002 / 12.6.104 / 12.6.118. It is, there, affected by an authentication bypass vulnerability. Due to the lack of proper request handling an unauthenticated, remote attacker can retrieve the API key of a valid user and access external APIs.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of ManageEngine Firewall Analyzer running on the remote web server 12.5.x prior to 12.5.657, or 12.6.x prior to 12.6.002 / 12.6.104 / 12.6.118. It is, there, affected by an authentication bypass vulnerability. Due to the lack of proper request handling an unauthenticated, remote attacker can retrieve the API key of a valid user and access external APIs.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of ManageEngine NCM running on the remote web server 12.5.x prior to 12.5.657, or 12.6.x prior to 12.6.002 / 12.6.104 / 12.6.118. It is, there, affected by an authentication bypass vulnerability. Due to the lack of proper request handling an unauthenticated, remote attacker can retrieve the API key of a valid user and access external APIs.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
186537	ManageEngine NetFlow Analyzer 12.5.x < 12.5.657 / 12.6.x < 12.6.002 / 12.6.104 / 12.6.118 Authenticate Bypass	Nessus	CGI abuses	high
171893	ManageEngine Firewall Analyzer REST API Key Disclosure (CVE-2022-36923)	Nessus	CGI abuses	high
164451	ManageEngine OpManager 12.5.x < 12.5.657 / 12.6.x < 12.6.002 / 12.6.104 / 12.6.118 Authenticate Bypass	Nessus	CGI abuses	high
164450	ManageEngine Firewall Analyzer 12.5.x < 12.5.657 / 12.6.x < 12.6.002 / 12.6.104 / 12.6.118 Authenticate Bypass	Nessus	CGI abuses	high
164449	ManageEngine NCM 12.5.x < 12.5.657 / 12.6.x < 12.6.002 / 12.6.104 / 12.6.118 Authenticate Bypass	Nessus	CGI abuses	high

Detections

Analytics

CVE-2022-36923

high

Tenable Plugins

high

high

high

high

high