ManageEngine Products Improper Privilege Management Vulnerability Allowing Privilege Escalation

A privilege escalation vulnerability has been identified in multiple ManageEngine products, including Asset Explorer, ServiceDesk Plus, ServiceDesk Plus MSP, and SupportCenter Plus. This vulnerability arises from improper privilege management due to overly permissive regular expression rules in URL mapping, which can be exploited by low-privileged users to gain control of any account, including administrator accounts. The vulnerability affects Asset Explorer versions prior to 7710, ServiceDesk Plus versions prior to 15110, ServiceDesk Plus MSP versions prior to 14940, and SupportCenter Plus versions prior to 14940.

Impact

Exploitation of this vulnerability allows an authenticated, low-privileged user to escalate privileges and take control of any account, potentially leading to unauthorized actions and data exposure. However, this vulnerability cannot be exploited if local authentication is disabled or if the high-privileged user account is associated with an email ID.

Remediation

Users can upgrade to the latest version by downloading the service packs available on the ManageEngine website for Asset Explorer, ServiceDesk Plus, ServiceDesk Plus MSP, and SupportCenter Plus. After downloading, the latest build should be applied to the existing product installation according to the service pack instructions.