CVE-2019-12133
First published: Tue Jun 18 2019(Updated: )
Multiple Zoho ManageEngine products suffer from local privilege escalation due to improper permissions for the %SYSTEMDRIVE%\ManageEngine directory and its sub-folders. Moreover, the services associated with said products try to execute binaries such as sc.exe from the current directory upon system start. This will effectively allow non-privileged users to escalate privileges to NT AUTHORITY\SYSTEM. This affects Desktop Central 10.0.380, EventLog Analyzer 12.0.2, ServiceDesk Plus 10.0.0, SupportCenter Plus 8.1, O365 Manager Plus 4.0, Mobile Device Manager Plus 9.0.0, Patch Connect Plus 9.0.0, Vulnerability Manager Plus 9.0.0, Patch Manager Plus 9.0.0, OpManager 12.3, NetFlow Analyzer 11.0, OpUtils 11.0, Network Configuration Manager 11.0, FireWall 12.0, Key Manager Plus 5.6, Password Manager Pro 9.9, Analytics Plus 1.0, and Browser Security Plus.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| ManageEngine Analytics Plus | =1.0 | |
| ManageEngine Browser Security Plus | ||
| ManageEngine Desktop Central | =10.0.380 | |
| ManageEngine EventLog Analyzer | =12.0.2 | |
| ManageEngine Firewall Analyzer | =12.0 | |
| ManageEngine Key Manager Plus | =5.6 | |
| ManageEngine Mobile Device Manager Plus | =9.0.0 | |
| Zoho ManageEngine NetFlow Analyzer | =11.0 | |
| ManageEngine Network Configuration Manager | =11.0 | |
| ManageEngine O365 Manager Plus | =4.0 | |
| ManageEngine OpManager MSP | =12.3 | |
| ManageEngine OpUtils | =11.0 | |
| ManageEngine Password Manager Pro | =9.9 | |
| Zoho ManageEngine Patch Connect Plus | =9.0.0 | |
| ManageEngine Patch Manager Plus by Zoho Corporation | =9.0.0 | |
| ManageEngine ServiceDesk Plus | =10.0.0 | |
| ManageEngine SupportCenter Plus | =8.1 | |
| ManageEngine Vulnerability Manager Plus | =9.0.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2019-12133?
CVE-2019-12133 is a vulnerability that affects multiple Zoho ManageEngine products, allowing for local privilege escalation due to improper permissions.
Which Zoho ManageEngine products are affected by CVE-2019-12133?
The following Zoho ManageEngine products are affected by CVE-2019-12133: ManageEngine Analytics Plus, ManageEngine Browser Security Plus, ManageEngine Desktop Central, ManageEngine Eventlog Analyzer, ManageEngine Firewall, ManageEngine Key Manager Plus, ManageEngine Mobile Device Manager Plus, ManageEngine Netflow Analyzer, ManageEngine Network Configuration Manager, ManageEngine O365 Manager Plus, ManageEngine Opmanager, ManageEngine Oputils, ManageEngine Password Manager Pro, ManageEngine Patch Connect Plus, ManageEngine Patch Manager Plus, ManageEngine Servicedesk Plus, ManageEngine Supportcenter Plus, ManageEngine Vulnerability Manager Plus.
What is the severity of CVE-2019-12133?
The severity of CVE-2019-12133 is rated as high, with a severity score of 7.8.
How does CVE-2019-12133 work?
CVE-2019-12133 allows attackers to escalate their privileges by exploiting the improper permissions for the %SYSTEMDRIVE%\ManageEngine directory and its sub-folders in the affected Zoho ManageEngine products.
How can I fix CVE-2019-12133?
To fix CVE-2019-12133, it is recommended to apply the patches or updates provided by Zoho for the affected ManageEngine products.
- agent/references
- agent/type
- agent/weakness
- agent/severity
- agent/author
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/zohocorp
- canonical/manageengine analytics plus
- version/manageengine analytics plus/1.0
- canonical/manageengine browser security plus
- canonical/manageengine desktop central
- version/manageengine desktop central/10.0.380
- canonical/manageengine eventlog analyzer
- version/manageengine eventlog analyzer/12.0.2
- canonical/manageengine firewall analyzer
- version/manageengine firewall analyzer/12.0
- canonical/manageengine key manager plus
- version/manageengine key manager plus/5.6
- canonical/manageengine mobile device manager plus
- version/manageengine mobile device manager plus/9.0.0
- canonical/zoho manageengine netflow analyzer
- version/zoho manageengine netflow analyzer/11.0
- canonical/manageengine network configuration manager
- version/manageengine network configuration manager/11.0
- canonical/manageengine o365 manager plus
- version/manageengine o365 manager plus/4.0
- canonical/manageengine opmanager msp
- version/manageengine opmanager msp/12.3
- canonical/manageengine oputils
- version/manageengine oputils/11.0
- canonical/manageengine password manager pro
- version/manageengine password manager pro/9.9
- canonical/zoho manageengine patch connect plus
- version/zoho manageengine patch connect plus/9.0.0
- canonical/manageengine patch manager plus by zoho corporation
- version/manageengine patch manager plus by zoho corporation/9.0.0
- canonical/manageengine servicedesk plus
- version/manageengine servicedesk plus/10.0.0
- canonical/manageengine supportcenter plus
- version/manageengine supportcenter plus/8.1
- canonical/manageengine vulnerability manager plus
- version/manageengine vulnerability manager plus/9.0.0