CVE-2022-43473

high-risk
Published 2023-03-30

A blind XML External Entity (XXE) vulnerability exists in the Add UCS Device functionality of ManageEngine OpManager 12.6.168. A specially crafted XML file can lead to SSRF. An attacker can serve a malicious XML payload to trigger this vulnerability.

Do I need to act?

!
35.6% chance of exploitation in next 30 days
EPSS score — higher than 64% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.8/10 Medium
NETWORK / HIGH complexity

Affected Products (20)

Affected Vendors

Zohocorp

References (5)

Exploit https://talosintelligence.com/vulnerability_reports/TALOS-2022-1685
Patch https://www.manageengine.com/itom/advisory/cve-2022-43473.html
Exploit https://talosintelligence.com/vulnerability_reports/TALOS-2022-1685
Patch https://www.manageengine.com/itom/advisory/cve-2022-43473.html
https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1685
63
/ 100
high-risk
Severity 18/34 · Moderate
Exploitability 16/34 · Moderate
Exposure 29/34 · Critical