|Impact||CVSS V3 rating: 9.8 CRITICAL|
|Fixed||20 August 2019|
|Affected Builds||Till Build 14300|
|Fixed in||Build 14310|
|Overview||Unauthenticated Remote Command Execution in Applications Manager Plugin.|
|Recommended Fix||Upgrade to Applications Manager Plugin to version 14310 or above.|
An issue was discovered in Zoho ManageEngine OpManager with Applications Manager Plugin through 12.4x. One can bypass the user password requirement and execute commands on the server. The "username+'@opm' string is used for the password. For example, if the username is admin, the password is admin@opm.
We recommend you to upgrade Applications Manager Plugin to version 14310 or above and OPM to the latest version to fix this issue.
Source and Acknowledgements