CVE-2023-2291 – This vulnerability involves hardcoded static cr... (How to Fix)

Q: What is the severity of CVE-2023-2291?

CVE-2023-2291 has a CVSS score of 7.8 (HIGH). This vulnerability involves hardcoded static credentials in PostgreSQL data used by ManageEngine Access Manager Plus, Password Manager Pro, and PAM360. Attackers can exploit these credentials to modify configuration data and escalate privileges from low-privileged users to administrative users. Organizations using affected ManageEngine products are at risk.

📋 TL;DR

This vulnerability involves hardcoded static credentials in PostgreSQL data used by ManageEngine Access Manager Plus, Password Manager Pro, and PAM360. Attackers can exploit these credentials to modify configuration data and escalate privileges from low-privileged users to administrative users. Organizations using affected ManageEngine products are at risk.

💻 Affected Systems

Products:

ManageEngine Access Manager Plus
ManageEngine Password Manager Pro
ManageEngine PAM360

Versions: Build 4309 and earlier for Access Manager Plus; specific versions for other products not specified in CVE

Operating Systems: All platforms running affected ManageEngine products

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in PostgreSQL data used by these products; exploitation requires access to the database or application layer.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full administrative takeover of the ManageEngine system, allowing attackers to access all managed credentials, modify configurations, and potentially pivot to other systems.

🟠

Likely Case

Privilege escalation leading to unauthorized access to sensitive credentials and configuration data managed by the affected products.

🟢

If Mitigated

Limited impact if proper network segmentation, access controls, and monitoring prevent exploitation attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires initial access as a low-privileged user; static credentials make exploitation straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Access Manager Plus build 4310 and later; check vendor advisories for other products

Vendor Advisory: https://www.manageengine.com/products/access-manager-plus/security-updates/cve-2023-2291.html

Restart Required: Yes

Instructions:

1. Backup your current configuration and database. 2. Download and install the latest patch from ManageEngine. 3. Apply the patch following vendor instructions. 4. Restart the ManageEngine service. 5. Verify the update was successful.

🔧 Temporary Workarounds

Database Credential Rotation

all

Manually change the static PostgreSQL credentials used by the ManageEngine application

ALTER USER manageengine_user WITH PASSWORD 'new_strong_password';

Network Segmentation

all

Restrict access to the ManageEngine PostgreSQL database to only necessary application servers

Configure firewall rules to limit database port access (default 5432)

🧯 If You Can't Patch

Implement strict access controls to limit who can access the ManageEngine applications
Enable detailed logging and monitoring for privilege escalation attempts and database access

🔍 How to Verify

Check if Vulnerable:

Check your ManageEngine product version against the affected versions listed in the vendor advisory

Check Version:

Check the product web interface or installation directory for version information

Verify Fix Applied:

Verify the product version has been updated to a patched version and test that low-privileged users cannot escalate to administrative privileges

📡 Detection & Monitoring

Log Indicators:

Unusual database connection attempts
Privilege escalation events in application logs
Configuration changes by non-admin users

Network Indicators:

Unexpected connections to PostgreSQL port from unauthorized sources
Database query patterns indicating privilege escalation attempts

SIEM Query:

source="manageengine_logs" AND (event_type="privilege_escalation" OR user="low_privilege_user" AND action="admin_action")

📊 Metadata

CVE ID: CVE-2023-2291

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-798

Published: April 26, 2023

Last Updated: February 3, 2025

🔗 References

https://tenable.com/security/research/tra-2023-16 Exploit,Third Party Advisory
https://tenable.com/security/research/tra-2023-16 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-2291, you might also want to check these: