CVE-2022-26653 & CVE-2022-26777: ManageEngine Remote Access Plus Guest User Insecure Direct Object References

the exploit blog logo
The Exploit: Penetration Testing Insights From The Frontlines
Posted on July 21, 2022
CVE-2022-26653 & CVE-2022-26777: ManageEngine Remote Access Plus Guest User Insecure Direct Object References

Written by Raxis Research Team


I’m Matt Dunn, lead penetration tester at Raxis, and I’ve uncovered a couple more ManageEngine vulnerabilities you should know about if your company is using the platform.

Summary

I discovered two instances in ManageEngine Remote Access Plus where a user with Guest permissions can access administrative details of the installation. In each case, an authenticated ‘Guest’ user can make a direct request to the /dcapi/ API endpoint to retrieve information. This allows the ‘Guest’ user to discover information about the connected Domains as well as the License information for the installation.

Proof of Concept

The two vulnerabilities are similar in that they allow a user with ‘Guest’ level permissions to access details about the installation. Each CVE refers to a specific piece of information that the user can retrieve, as detailed below:

CVE-2022-26653 – The ‘Guest’ user can retrieve details of connected Domains.

CVE-2022-26777 – The ‘Guest’ user can retrieve details about the installation’s License.

The user with ‘Guest’ permissions can access all the Domain’s details, including the connected Domain Controller, the account used for authentication, and when it was last updated, as shown here:

Guest User Can Access All Domain Details

Similarly, the ‘Guest’ user can access all the License information, including the amount of users, amount of managed systems, who the license is for, and the exact build number, as shown below:

Guest User Can Access All License Details

Affected Versions

Raxis discovered these vulnerabilities on ManageEngine Remote Access Plus version 10.1.2137.6.

Remediation

Upgrade ManageEngine Remote Access Plus to Version 10 Build 10.1.2137.15 or later which can be found here:

Disclosure Timeline

  • February 16, 2022 – Vulnerabilities reported to Zoho
  • February 17, 2022 – Zoho begins investigation into reports
  • March 8, 2022 – CVE-2022-26653 is assigned to the Domain Details vulnerability
  • March 9, 2022 – CVE-2022-26777 is assigned to the License Details vulnerability
  • April 8, 2022 – Zoho releases fixed version 11 Build 10.1.2137.15 that addresses both vulnerabilities
CVE Links

CVE-2022-26653

CVE-2022-26777

 

Raxis Research Team

Raxis Research Team
The Raxis Research Team is dedicated to staying ahead of the threat landscape. Our experts dig into emerging exploits, uncover hidden vulnerabilities, and develop resources that power our penetration testing engagements. By combining curiosity with technical precision, the team equips Raxis testers with cutting-edge intelligence to simulate real-world attacks and strengthen client defenses.

Search The Exploit Blog

Blog Categories

Stay up to date with the latest in penetration testing

Name(Required)
Newsletter(Required)
Do you wish to join our newsletter? We send out emails once a month that cover the latest in cybersecurity news. We do not sell your information to other parties.