CVE-2023-47211
📋 TL;DR
A directory traversal vulnerability in ManageEngine OpManager's uploadMib functionality allows attackers to create arbitrary files on the system by sending specially crafted HTTP requests with malicious MiB files. This affects ManageEngine OpManager version 12.7.258, potentially enabling remote code execution or system compromise.
💻 Affected Systems
- ManageEngine OpManager
📦 What is this software?
Manageengine Network Configuration Manager by Zohocorp
View all CVEs affecting Manageengine Network Configuration Manager →
Manageengine Network Configuration Manager by Zohocorp
View all CVEs affecting Manageengine Network Configuration Manager →
Manageengine Network Configuration Manager by Zohocorp
View all CVEs affecting Manageengine Network Configuration Manager →
Manageengine Network Configuration Manager by Zohocorp
View all CVEs affecting Manageengine Network Configuration Manager →
Manageengine Network Configuration Manager by Zohocorp
View all CVEs affecting Manageengine Network Configuration Manager →
Manageengine Network Configuration Manager by Zohocorp
View all CVEs affecting Manageengine Network Configuration Manager →
Manageengine Network Configuration Manager by Zohocorp
View all CVEs affecting Manageengine Network Configuration Manager →
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data exfiltration, or ransomware deployment.
Likely Case
Arbitrary file creation enabling privilege escalation, persistence mechanisms, or sensitive data access.
If Mitigated
Limited impact with proper network segmentation and file system permissions preventing critical file access.
🎯 Exploit Status
Exploitation requires sending a crafted HTTP request with a malicious MiB file, which is straightforward for attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 12.7.259 or later
Vendor Advisory: https://www.manageengine.com/itom/advisory/cve-2023-47211.html
Restart Required: Yes
Instructions:
1. Download the latest version from ManageEngine's website. 2. Stop the OpManager service. 3. Install the update. 4. Restart the service.
🔧 Temporary Workarounds
Disable uploadMib functionality
allTemporarily disable the vulnerable uploadMib feature until patching is complete.
Modify OpManager configuration to restrict access to uploadMib endpoints
Network segmentation
allRestrict network access to OpManager instances to trusted IP addresses only.
Configure firewall rules to allow only specific IPs to access OpManager ports
🧯 If You Can't Patch
- Implement strict network access controls to limit exposure to trusted sources only.
- Monitor for suspicious file creation activities and HTTP requests to uploadMib endpoints.
🔍 How to Verify
Check if Vulnerable:
Check if OpManager version is 12.7.258 via the web interface or installation directory.Check Version:
Check the version in the OpManager web interface under Help > About or examine the installation directory.Verify Fix Applied:
Verify the version is updated to 12.7.259 or later and test uploadMib functionality with safe files.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to uploadMib endpoints with unusual file paths or extensions
- File creation events in unexpected directories
Network Indicators:
- HTTP POST requests to /uploadMib with suspicious payloads
- Unusual outbound connections from OpManager server
SIEM Query:
source="opmanager" AND (url="*uploadMib*" AND (path="*../*" OR file_extension!=".mib"))🔗 References
- https://talosintelligence.com/vulnerability_reports/TALOS-2023-1851
- https://www.manageengine.com/itom/advisory/cve-2023-47211.html
- https://talosintelligence.com/vulnerability_reports/TALOS-2023-1851
- https://www.manageengine.com/itom/advisory/cve-2023-47211.html
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1851
