CVE-2019-19034
ManageEngine AssetExplorer Authenticated Command Execution
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
3Exploited in Wild
-Decision
Descriptions
Zoho ManageEngine Asset Explorer 6.5 does not validate the System Center Configuration Manager (SCCM) database username when dynamically generating a command to schedule scans for SCCM. This allows an attacker to execute arbitrary commands on the AssetExplorer Server with NT AUTHORITY/SYSTEM privileges.
Zoho ManageEngine Asset Explorer versión 6.5, no comprueba el nombre de usuario de la base de datos de System Center Configuration Manager (SCCM) cuando genera dinámicamente un comando para programar escaneos para SCCM. Esto permite a un atacante ejecutar comandos arbitrarios en el servidor AssetExplorer con privilegios NT AUTHORITY/SYSTEM.
ManageEngine AssetExplorer versions prior to 6.5 (6503) suffer from an authenticated remote command execution vulnerability.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-11-17 CVE Reserved
- 2020-03-23 CVE Published
- 2020-05-15 First Exploit
- 2024-08-05 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CAPEC
References (4)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://www.manageengine.com/products/asset-explorer/sp-readme.html | 2023-02-03 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Zohocorp Search vendor "Zohocorp" | Manageengine Assetexplorer Search vendor "Zohocorp" for product "Manageengine Assetexplorer" | 6.5 Search vendor "Zohocorp" for product "Manageengine Assetexplorer" and version "6.5" | - |
Affected
| ||||||