Network Configuration Manager
by SolarWinds
CVEs (17)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-41437 | Med | 0.28 | 4.3 | 0.00 | Jun 9, 2025 | Zohocorp ManageEngine OpManager, NetFlow Analyzer, Network Configuration Manager, Firewall Analyzer and OpUtils versions 128565 and below are vulnerable to Reflected XSS on the login page. | ||
| CVE-2021-43319 | 0.06 | — | 0.21 | Nov 30, 2021 | Zoho ManageEngine Network Configuration Manager before 125488 is vulnerable to command injection due to improper validation in the Ping functionality. | |||
| CVE-2022-37024 | 0.04 | — | 0.78 | Aug 9, 2022 | Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils before 2022-07-29 through 2022-07-30 ( 125658, 126003, 126105, and 126120) allow authenticated users to make database changes that lead to remote code… | |||
| CVE-2022-36923 | 0.02 | — | 0.08 | Aug 10, 2022 | Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27 through 2022-07-28 (125657, 126002, 126104, and 126118) allow unauthenticated attackers to obtain a user's API key, and… | |||
| CVE-2021-41081 | 0.02 | — | 0.69 | Nov 11, 2021 | Zoho ManageEngine Network Configuration Manager before 125465 is vulnerable to SQL Injection in a configuration search. | |||
| CVE-2018-18980 | 0.02 | — | 0.25 | Nov 6, 2018 | An XML External Entity injection (XXE) vulnerability exists in Zoho ManageEngine Network Configuration Manager and OpManager before 12.3.214 via the RequestXML parameter in a /devices/ProcessRequest.do GET request. For example, the attacker can trigger the transmission of local… | |||
| CVE-2021-41080 | 0.01 | — | 0.04 | Nov 11, 2021 | Zoho ManageEngine Network Configuration Manager before 125465 is vulnerable to SQL Injection in a hardware details search. | |||
| CVE-2014-3459 | 0.01 | — | 0.12 | Aug 7, 2014 | Heap-based buffer overflow in SolarWinds Network Configuration Manager (NCM) before 7.3 allows remote attackers to execute arbitrary code via the PEstrarg1 property. | |||
| CVE-2023-40055 | 0.00 | — | 0.02 | Nov 9, 2023 | The Network Configuration Manager was susceptible to a Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows a low-level user to perform the actions with SYSTEM privileges. We found this issue was not resolved in CVE-2023-33227 | |||
| CVE-2023-40054 | 0.00 | — | 0.03 | Nov 9, 2023 | The Network Configuration Manager was susceptible to a Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows a low-level user to perform the actions with SYSTEM privileges. We found this issue was not resolved in CVE-2023-33226 | |||
| CVE-2023-33228 | 0.00 | — | 0.00 | Nov 1, 2023 | The SolarWinds Network Configuration Manager was susceptible to the Exposure of Sensitive Information Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to obtain sensitive information. | |||
| CVE-2023-33227 | 0.00 | — | 0.02 | Nov 1, 2023 | The Network Configuration Manager was susceptible to a Directory Traversal Remote Code Execution Vulnerability This vulnerability allows a low level user to perform the actions with SYSTEM privileges. | |||
| CVE-2023-33226 | 0.00 | — | 0.02 | Nov 1, 2023 | The Network Configuration Manager was susceptible to a Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows a low-level user to perform the actions with SYSTEM privileges. | |||
| CVE-2023-29505 | 0.00 | — | 0.01 | Aug 4, 2023 | An issue was discovered in Zoho ManageEngine Network Configuration Manager 12.6.165. The WebSocket endpoint allows Cross-site WebSocket hijacking. | |||
| CVE-2023-23842 | 0.00 | — | 0.03 | Jul 26, 2023 | The SolarWinds Network Configuration Manager was susceptible to the Directory Traversal Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands. | |||
| CVE-2021-35226 | 0.00 | — | 0.00 | Oct 10, 2022 | An entity in Network Configuration Manager product is misconfigured and exposing password field to Solarwinds Information Service (SWIS). Exposed credentials are encrypted and require authenticated access with an NCM role. | |||
| CVE-2014-2509 | 0.00 | — | 0.02 | Jul 1, 2014 | Session fixation vulnerability in the Report Advisor (RA) component in EMC Network Configuration Manager (NCM) before 9.3 allows remote attackers to hijack web sessions via a session cookie. |
- risk 0.28cvss 4.3epss 0.00
Zohocorp ManageEngine OpManager, NetFlow Analyzer, Network Configuration Manager, Firewall Analyzer and OpUtils versions 128565 and below are vulnerable to Reflected XSS on the login page.
- CVE-2021-43319Nov 30, 2021risk 0.06cvss —epss 0.21
Zoho ManageEngine Network Configuration Manager before 125488 is vulnerable to command injection due to improper validation in the Ping functionality.
- CVE-2022-37024Aug 9, 2022risk 0.04cvss —epss 0.78
Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils before 2022-07-29 through 2022-07-30 ( 125658, 126003, 126105, and 126120) allow authenticated users to make database changes that lead to remote code…
- CVE-2022-36923Aug 10, 2022risk 0.02cvss —epss 0.08
Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27 through 2022-07-28 (125657, 126002, 126104, and 126118) allow unauthenticated attackers to obtain a user's API key, and…
- CVE-2021-41081Nov 11, 2021risk 0.02cvss —epss 0.69
Zoho ManageEngine Network Configuration Manager before 125465 is vulnerable to SQL Injection in a configuration search.
- CVE-2018-18980Nov 6, 2018risk 0.02cvss —epss 0.25
An XML External Entity injection (XXE) vulnerability exists in Zoho ManageEngine Network Configuration Manager and OpManager before 12.3.214 via the RequestXML parameter in a /devices/ProcessRequest.do GET request. For example, the attacker can trigger the transmission of local…
- CVE-2021-41080Nov 11, 2021risk 0.01cvss —epss 0.04
Zoho ManageEngine Network Configuration Manager before 125465 is vulnerable to SQL Injection in a hardware details search.
- CVE-2014-3459Aug 7, 2014risk 0.01cvss —epss 0.12
Heap-based buffer overflow in SolarWinds Network Configuration Manager (NCM) before 7.3 allows remote attackers to execute arbitrary code via the PEstrarg1 property.
- CVE-2023-40055Nov 9, 2023risk 0.00cvss —epss 0.02
The Network Configuration Manager was susceptible to a Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows a low-level user to perform the actions with SYSTEM privileges. We found this issue was not resolved in CVE-2023-33227
- CVE-2023-40054Nov 9, 2023risk 0.00cvss —epss 0.03
The Network Configuration Manager was susceptible to a Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows a low-level user to perform the actions with SYSTEM privileges. We found this issue was not resolved in CVE-2023-33226
- CVE-2023-33228Nov 1, 2023risk 0.00cvss —epss 0.00
The SolarWinds Network Configuration Manager was susceptible to the Exposure of Sensitive Information Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to obtain sensitive information.
- CVE-2023-33227Nov 1, 2023risk 0.00cvss —epss 0.02
The Network Configuration Manager was susceptible to a Directory Traversal Remote Code Execution Vulnerability This vulnerability allows a low level user to perform the actions with SYSTEM privileges.
- CVE-2023-33226Nov 1, 2023risk 0.00cvss —epss 0.02
The Network Configuration Manager was susceptible to a Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows a low-level user to perform the actions with SYSTEM privileges.
- CVE-2023-29505Aug 4, 2023risk 0.00cvss —epss 0.01
An issue was discovered in Zoho ManageEngine Network Configuration Manager 12.6.165. The WebSocket endpoint allows Cross-site WebSocket hijacking.
- CVE-2023-23842Jul 26, 2023risk 0.00cvss —epss 0.03
The SolarWinds Network Configuration Manager was susceptible to the Directory Traversal Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands.
- CVE-2021-35226Oct 10, 2022risk 0.00cvss —epss 0.00
An entity in Network Configuration Manager product is misconfigured and exposing password field to Solarwinds Information Service (SWIS). Exposed credentials are encrypted and require authenticated access with an NCM role.
- CVE-2014-2509Jul 1, 2014risk 0.00cvss —epss 0.02
Session fixation vulnerability in the Report Advisor (RA) component in EMC Network Configuration Manager (NCM) before 9.3 allows remote attackers to hijack web sessions via a session cookie.