ManageEngine Applications Manager Command Injection Vulnerability

A command injection vulnerability has been identified in ManageEngine Applications Manager, affecting versions through 178100. This vulnerability allows authenticated users to bypass command blacklists and execute sensitive commands with administrative privileges. The issue arises from improper validation in the 'execute program' action feature, where absolute paths can be used to circumvent security controls designed to prevent the execution of dangerous commands.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of commands with administrative rights, potentially compromising the security and integrity of the Applications Manager server.

Remediation

Users can update to ManageEngine Applications Manager version 178200 or later, or to versions 178001 through 178009. After updating, the 'execute program' actions will require super admin approval before being executed, adding a layer of security against unauthorized command execution.