Zero-Day Vulnerabilities in ManageEngine Products

Researchers at Digital Defense discovered six zero-day vulnerabilities in various ManageEngine applications including Log360, EventLog Analyzer, and Application Manager. The flaws – which include unauthorized file upload, blind SQL injection, local file inclusion, and API key disclosure – could be leveraged by threat actors to conduct remote code execution with escalated privileges and obtain sensitive information. ManageEngine was alerted to the security vulnerabilities on February 12 and issued patches on March 7. The NJCCIC recommends users and administrators of affected ManageEngine products review the Digital Defense Security Advisories (1, 2) and apply the available patches as soon as possible.