Marcin “Icewall” Noga of Cisco Talos discovered this vulnerability.

Cisco Talos recently discovered a vulnerability in ManageEngine OpManager that could lead to an XML external entity (XXE) attack.

OpManager is network monitoring software that allows users to track and manage the performance of connected routers, switches, firewalls, servers, VMs and more. A vulnerability (TALOS-2022-1685/CVE-2022-43473) exists when the user attempts to add a unified computing system (UCS) to the software.

An attacker could exploit this vulnerability by providing a specially crafted, malicious XML file at an exact point during that connection process to allow them to carry out an XXE attack. XXE attacks allow an adversary to interact with other backend or external systems that OpManager accesses.

Cisco Talos worked with the managers of ManageEngine to ensure that this issue is resolved and an update is available for affected users, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update ManageEngine OpManager, version 12.6.168 as soon as possible. Talos tested and confirmed this version of the software could be exploited by this vulnerability.

The following Snort rule will detect exploitation attempts against this vulnerability:
49864. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.