CVE-2023-6105 Overview
An information disclosure vulnerability exists in multiple Zoho ManageEngine products that allows encryption keys to be exposed to low-privileged local users. A low-privileged OS user with access to the host where an affected ManageEngine product is installed can view and use the exposed key to decrypt product database passwords. This allows the user to access the ManageEngine product database, potentially leading to full compromise of sensitive organizational data managed by these enterprise IT management solutions.
Critical Impact
Local attackers with low-level OS access can extract encryption keys and decrypt database credentials, enabling unauthorized access to sensitive IT management data across affected ManageEngine products.
Affected Products
- ManageEngine Endpoint Central and Endpoint Central MSP
- ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP, and SupportCenter Plus
- ManageEngine Password Manager Pro, PAM360, and Access Manager Plus
- ManageEngine ADSelfService Plus, ADManager Plus, and ADAudit Plus
- ManageEngine OpManager, OpUtils, and Network Configuration Manager
- ManageEngine M365 Manager Plus and M365 Security Plus
- ManageEngine Log360 UEBA, Cloud Security Plus, and DataSecurity Plus
- ManageEngine Firewall Analyzer and NetFlow Analyzer
- ManageEngine Analytics Plus, AppCreator, and various other IT management products
- Deployable on Microsoft Windows and Linux platforms
Discovery Timeline
- November 15, 2023 - CVE-2023-6105 published to NVD
- February 13, 2025 - Last updated in NVD database
Technical Details for CVE-2023-6105
Vulnerability Analysis
This vulnerability is classified as an information disclosure issue (CWE-200) that affects the secure storage of encryption keys within multiple ManageEngine products. The fundamental problem lies in how these products store cryptographic material used to protect database credentials. When encryption keys are accessible to low-privileged users on the host operating system, the security model of the entire application is compromised.
The vulnerability requires local access to the system where a ManageEngine product is installed. An attacker with even a low-privileged user account on the host can read the exposed encryption keys from the file system. Once obtained, these keys can be used to decrypt the product database passwords, granting the attacker direct access to the backend database. This database typically contains sensitive IT infrastructure information, credentials, audit logs, and configuration data that organizations rely on ManageEngine products to manage securely.
The widespread impact across over 40 ManageEngine products—spanning endpoint management, identity management, network monitoring, IT service management, and privileged access management solutions—makes this vulnerability particularly concerning for enterprise environments.
Root Cause
The root cause of this vulnerability is improper protection of sensitive cryptographic material. The encryption keys used to protect database passwords are stored in a location or with permissions that allow local OS users without administrative privileges to read them. This violates the principle of least privilege and secure key management practices, where cryptographic keys should be accessible only to the application processes that require them.
Attack Vector
Exploitation requires local access to the host system running an affected ManageEngine product. The attack follows this general flow:
- The attacker gains access to the host system with a low-privileged user account
- The attacker locates and reads the exposed encryption key from the file system
- Using the encryption key, the attacker decrypts the stored database credentials
- With the decrypted credentials, the attacker connects directly to the ManageEngine product database
- The attacker extracts sensitive data or modifies database contents
This attack vector is particularly concerning in shared hosting environments, compromised endpoints, or scenarios where attackers have established initial foothold through other means. The exposure of database credentials can lead to data theft, configuration tampering, privilege escalation within the managed infrastructure, or lateral movement using credentials stored in the database.
Detection Methods for CVE-2023-6105
Indicators of Compromise
- Unusual file access patterns targeting ManageEngine installation directories, particularly configuration or key storage locations
- Unexpected local user access to systems hosting ManageEngine products
- Direct database connections from unauthorized sources or user accounts
- Evidence of database credential extraction or decryption attempts in system or application logs
Detection Strategies
- Monitor file system access to ManageEngine installation directories for reads by non-service accounts
- Implement database activity monitoring to detect connections using the application's database credentials from unexpected sources
- Review authentication logs for direct database access attempts that bypass the web application interface
- Deploy endpoint detection and response (EDR) solutions to identify suspicious local reconnaissance activities
Monitoring Recommendations
- Enable comprehensive file access auditing on directories containing ManageEngine product files
- Configure database audit logging to capture all authentication attempts and data access
- Establish baseline behavior for ManageEngine service accounts and alert on deviations
- Regularly review local user account activity on systems hosting ManageEngine products
How to Mitigate CVE-2023-6105
Immediate Actions Required
- Identify all ManageEngine products deployed in your environment and verify their versions against the vendor advisory
- Apply the latest security patches from Zoho ManageEngine as specified in the ManageEngine Security Advisory
- Review and restrict local user access to systems hosting ManageEngine products
- Audit database access logs for any signs of unauthorized credential usage
Patch Information
Zoho ManageEngine has released security updates to address this vulnerability across all affected products. Organizations should consult the ManageEngine Security Advisory for specific version information and upgrade paths for each affected product. Given the large number of affected products, administrators should prioritize patching based on the sensitivity of data managed by each product and the exposure level of the hosting systems.
Additional technical analysis is available from Tenable Research.
Workarounds
- Restrict local access to ManageEngine host systems to only essential administrative accounts
- Implement strict file system permissions on ManageEngine installation directories to limit read access
- Segment ManageEngine product hosts from general user access networks where possible
- Enable enhanced monitoring for database and file system access while awaiting patch deployment
# Example: Review and restrict file permissions on ManageEngine directories (Linux)
# Identify ManageEngine installation directory
ls -la /opt/ManageEngine/
# Ensure configuration directories are only accessible by the service account
chmod 700 /opt/ManageEngine/<product>/conf/
chown -R manageengine:manageengine /opt/ManageEngine/<product>/conf/
# For Windows, review ACLs on installation directories using:
# icacls "C:\Program Files\ManageEngine\<product>" /T
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
