Volerion logoVolerion
Volerion logoVolerion

ManageEngine OpManager Stored Cross-Site Scripting Vulnerability in SNMP Trap Processor

Vulnerability

A stored cross-site scripting vulnerability has been identified in ManageEngine OpManager, OpManager Enterprise Edition, OpManager Plus, OpManager Plus Enterprise Edition, and OpManager MSP, all versions through 128609. The vulnerability resides in the SNMP Trap Processor module, where a user with permission to modify the processor can inject malicious JavaScript into the Description field. This injected script executes when an admin views the SNMP Trap Processors page, potentially allowing the attacker to use the admin's CSRF token and session to gain a reverse shell and execute remote code on the server.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, with the injected script executing in the context of an admin user. This could lead to a reverse shell and remote code execution on the server.

Remediation

Users can upgrade to version 128610 or later. Instructions for downloading the latest upgrade pack are available on the ManageEngine website.

Added: Nov 11, 2025, 2:17 PM
Updated: Nov 11, 2025, 2:17 PM

Vulnerability Rating

Custom Algorithm
spread
0.3
impact
7.5
exploitability
4.6
remediation
7.7
relevance
0.9
threat
0.0
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.