CVE-2020-15394

Vulnerability

The REST API in Zoho ManageEngine Applications Manager prior to build 14740 is vulnerable to an unauthenticated SQL injection. An attacker can craft a malicious request to the API, which is processed without proper input sanitization, leading to arbitrary SQL query execution. This vulnerability affects all builds before 14740 [2][3].

Exploitation

An attacker does not require any authentication or prior access to the system. The exploitation involves sending a specially crafted HTTP request to the REST API endpoint. The SQL injection can be triggered by manipulating parameters in the request, allowing the attacker to execute arbitrary SQL commands on the backend database [2].

Impact

Successful exploitation allows an attacker to execute arbitrary SQL queries, which can lead to remote code execution (RCE) on the server. This compromises the confidentiality, integrity, and availability of the affected system, potentially granting full control over the Applications Manager instance [2].

Mitigation

The vulnerability is fixed in build 14740 of Zoho ManageEngine Applications Manager. Users should upgrade to this build or later immediately. No workarounds are documented in the available references [2][3]. If upgrading is not possible, restricting network access to the REST API may reduce exposure.