CVE-2016-9498
high-risk
Published 2018-07-13
ManageEngine Applications Manager 12 and 13 before build 13200, allows unserialization of unsafe Java objects. The vulnerability can be exploited by remote user without authentication and it allows to execute remote code compromising the application as well as the operating system. As Application Manager's RMI registry is running with privileges of system administrator, by exploiting this vulnerability an attacker gains highest privileges on the underlying operating system.
Do I need to act?
!
70.4% chance of exploitation in next 30 days
EPSS score — higher than 30% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (2)
Affected Vendors
References (6)
Mailing List
http://seclists.org/fulldisclosure/2017/Apr/9
Third Party Advisory
https://www.securityfocus.com/bid/97394/
Mailing List
http://seclists.org/fulldisclosure/2017/Apr/9
Third Party Advisory
https://www.securityfocus.com/bid/97394/
58
/ 100
high-risk
Severity
32/34 · Critical
Exploitability
19/34 · Moderate
Exposure
7/34 · Low