CVE-2020-27733
8.8 HIGH
📋 TL;DR
This vulnerability allows authenticated attackers to execute arbitrary SQL commands via a crafted Alarmview request in Zoho ManageEngine Applications Manager. It affects organizations using vulnerable versions of the software, potentially leading to data breaches or system compromise.
💻 Affected Systems
Products:
- Zoho ManageEngine Applications Manager
Versions: All versions before 14 build 14880
Operating Systems: All supported platforms
Default Config Vulnerable:
⚠️ Yes
Notes: Requires authenticated access, but any authenticated user can potentially exploit this vulnerability.
📦 What is this software?
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise, data exfiltration, privilege escalation to administrative access, and potential remote code execution on the underlying server.
Likely Case
Unauthorized data access, modification or deletion of application data, and potential lateral movement within the network.
If Mitigated
Limited impact with proper input validation, parameterized queries, and network segmentation in place.
🌐 Internet-Facing: HIGH - If the application is exposed to the internet, attackers can exploit it remotely after obtaining valid credentials.
🏢 Internal Only: HIGH - Even internally, authenticated users or compromised accounts can exploit this vulnerability to escalate privileges.
🎯 Exploit Status
Public PoC:
✅ No
Weaponized:
LIKELY
Unauthenticated Exploit:
✅ No
Complexity:
LOW
SQL injection vulnerabilities are commonly exploited and weaponized. While no public PoC is confirmed, the vulnerability type suggests exploitation is straightforward for attackers with valid credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 14 build 14880 or later
Vendor Advisory: https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2020-27733.html
Restart Required: Yes
Instructions:
1. Download the latest version from the ManageEngine website. 2. Backup your current installation and database. 3. Stop the Applications Manager service. 4. Install the update. 5. Restart the service. 6. Verify the update was successful.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation and parameterized queries for Alarmview requests
Not applicable - requires code changes
Network Segmentation
allRestrict access to the Applications Manager interface to only authorized users and networks
firewall rules to limit access to specific IP ranges
🧯 If You Can't Patch
- Implement strict network access controls to limit who can access the Applications Manager interface
- Enable detailed SQL query logging and monitor for suspicious database activity patterns
🔍 How to Verify
Check if Vulnerable:
Check the Applications Manager version in the web interface under Help > About or examine the installation directory for version files.Check Version:
Check the web interface or examine the <install_dir>/conf/version.txt fileVerify Fix Applied:
Verify the version is 14 build 14880 or later and test that Alarmview functionality works without SQL injection vulnerabilities.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts followed by Alarmview requests
- SQL error messages in application logs
Network Indicators:
- Unusual database connection patterns from the Applications Manager server
- Large data transfers from the database server
SIEM Query:
source="applications_manager" AND (event="SQL_ERROR" OR request_uri="*alarmview*" AND (sql="*SELECT*" OR sql="*UNION*"))🔗 References
- https://www.manageengine.com/products/applications_manager/issues.html#v14880
- https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2020-27733.html
- https://www.manageengine.com/products/applications_manager/issues.html#v14880
- https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2020-27733.html
