top of page

ManageEngine OpManager getUserAPIKey Authentication Bypass (CVE-2022-36923)

Application Details

ManageEngine OpManager is a comprehensive network monitoring software that provides network administrators with an integrated console for managing routers, firewalls, servers, switches, and printers.


The lack of proper request handling mechanism had resulted in unauthenticated access of the user API key. Anyone can retrieve the API key of a valid user without authentication and can access the external APIs.


By sending a specially crafted request, an attacker could exploit this vulnerability to obtain the user API key information and then access external APIs.

PAYLOAD - operation=getUserAPIKey&username=admin&domainname=-&HANDSHAKE_KEY=ppppppppppppppppppppppppppppppppppppppppppppppppp


By turning this into a traffic file and matching rule, we are able to detect attempts by unauthenticated attackers to obtain a user's API key and gain unauthorised access to the application.


Idappcom has created signature 8023052 along with a traffic file for this vulnerability.


Traffic IQ

If you are concerned that your business may be at risk of this vulnerability, or others, why not try out our Traffic IQ software which can scan your defences and report any issues. Learn more here:


bottom of page