Security Updates - CVE-2026-12370 | ManageEngine OpManager

Remote Code Execution via NCM Configlet - CVE-2026-12370

Severity: High

CVE ID: CVE-2026-12370

Product name	Affected Version(s)	Fixed Version(s)	Fixed On
OpManager OpManager Nexus OpManager MSP NetFlow Analyzer Network Configuration Manager
	Below version 129101	128668 / 128723 / 129101	12-06-2026

Details:

General: Previously, there was a Server-Side Template Injection (SSTI) vulnerability in Configlet processing that could potentially lead to remote code execution (RCE). This issue has now been fixed.

Steps to upgrade:

Kindly download the latest upgrade pack from the following links for the respective products:
- OpManager: https://www.manageengine.com/network-monitoring/service-packs.html
- OpManager Nexus: https://www.manageengine.com/it-operations-management/service-packs.html
- OpManager MSP: https://www.manageengine.com/network-monitoring-msp/service-packs.html
- Network Configuration Manager: https://www.manageengine.com/network-configuration-manager/upgradepack.html
- NetFlow Analyzer: https://www.manageengine.com/products/netflow/service-packs.html
Apply the latest build to your existing product installation as per the upgrade pack instructions provided in the above links.

Source and Acknowledgements

This vulnerability was reported by C & N.

Kindly contact our product support team for further details, at the below mentioned email address:

OpManager: opmanager-support@manageengine.com
OpManager Nexus: opmanagerplus-support@manageengine.com
OpManager MSP: msp-opmanager-support@manageengine.com
Network Configuration Manager: ncm-support@manageengine.com
NetFlow Analyzer: netflowanalyzer-support@manageengine.com