Zero-Day Vulnerabilities in ManageEngine Products
NJCCIC Alert
Original Release Date: 2018-03-23
Researchers at Digital Defense discovered six zero-day vulnerabilities in various ManageEngine applications including Log360, EventLog Analyzer, and Application Manager. The flaws – which include unauthorized file upload, blind SQL injection, local file inclusion, and API key disclosure – could be leveraged by threat actors to conduct remote code execution with escalated privileges and obtain sensitive information. ManageEngine was alerted to the security vulnerabilities on February 12 and issued patches on March 7.
The NJCCIC recommends users and administrators of affected ManageEngine products review the Digital Defense Security Advisories (1, 2) and apply the available patches as soon as possible.
Featured Content
- Pulse Connect Secure Vulnerabilities Are Actively Being Exploited>
- Phishing Campaigns Attempt to Steal Credentials for Cloud Services>
- Geico Hack Impacts Residents in 8 States>
- SonicWall Email Security Vulnerabilities Are Actively Being Exploited>
- New Critical Vulnerabilities in On-Premises Microsoft Exchange Servers>
- Threat Actors Abuse Contact Forms in Recent Malware Campaigns>
- Google Chrome Vulnerabilities Exploited in the Wild – Patch Now>
- Increase in Ransomware Attacks Targeting Education Sector>
The NJCCIC is a component organization within the New Jersey Office of Homeland Security and Preparedness. We are the State's one-stop-shop for cyber threat analysis, incident reporting, and information sharing and are committed to making New Jersey more resilient to cyber threats by spreading awareness and promoting the adoption of best practices.
View our Privacy Policy here.
View our Site Index here.