CVE-2021-3287
📋 TL;DR
CVE-2021-3287 is an unauthenticated remote code execution vulnerability in Zoho ManageEngine OpManager caused by insecure Java deserialization. Attackers can exploit this to execute arbitrary code on affected systems without authentication. Organizations running OpManager versions before 12.5.329 are vulnerable.
💻 Affected Systems
- Zoho ManageEngine OpManager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to install malware, steal sensitive data, pivot to internal networks, and establish persistent access.
Likely Case
Initial foothold leading to ransomware deployment, data exfiltration, or use as a pivot point for lateral movement within the network.
If Mitigated
Limited impact with proper network segmentation and monitoring, potentially only affecting the OpManager server itself.
🎯 Exploit Status
Public exploit code available on Packet Storm and other sources. Exploitation is straightforward with readily available tools.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 12.5.329 and later
Vendor Advisory: https://www.manageengine.com/network-monitoring/help/read-me-complete.html#125329
Restart Required: Yes
Instructions:
1. Download OpManager version 12.5.329 or later from ManageEngine website. 2. Backup current installation and configuration. 3. Run the installer to upgrade. 4. Restart the OpManager service.
🔧 Temporary Workarounds
Network Access Control
allRestrict network access to OpManager web interface to trusted IP addresses only.
Use firewall rules to allow only specific source IPs to TCP ports 8060 (default HTTP) and 443 (HTTPS)
Disable Vulnerable Endpoint
allBlock access to the vulnerable deserialization endpoint if possible.
Configure web server (Apache/Nginx/IIS) to block requests to /servlets/SumPDU
🧯 If You Can't Patch
- Isolate OpManager server in a dedicated network segment with strict firewall rules
- Implement application-level WAF with rules to detect and block Java deserialization attacks
🔍 How to Verify
Check if Vulnerable:
Check OpManager version via web interface (Help > About) or installation directory. Versions below 12.5.329 are vulnerable.Check Version:
On Windows: Check 'About' in OpManager GUI. On Linux: Check /opt/ManageEngine/OpManager/version.txt or similar installation directory.Verify Fix Applied:
Verify version is 12.5.329 or higher and test that the /servlets/SumPDU endpoint no longer accepts malicious serialized objects.📡 Detection & Monitoring
Log Indicators:
- Unusual Java deserialization errors in OpManager logs
- Requests to /servlets/SumPDU with serialized objects
- Suspicious process creation from OpManager service
Network Indicators:
- HTTP POST requests to /servlets/SumPDU containing serialized Java objects
- Outbound connections from OpManager server to unknown external IPs
SIEM Query:
source="OpManager" AND (uri="/servlets/SumPDU" OR message="*deserialization*" OR message="*SumPDU*")🔗 References
- http://packetstormsecurity.com/files/164231/ManageEngine-OpManager-SumPDU-Java-Deserialization.html
- https://www.manageengine.com/network-monitoring/help/read-me-complete.html#125329
- http://packetstormsecurity.com/files/164231/ManageEngine-OpManager-SumPDU-Java-Deserialization.html
- https://www.manageengine.com/network-monitoring/help/read-me-complete.html#125329
