CVE-2019-12133
CVE-2019-12133 is a high-severity vulnerability in Zohocorp Manageengine Analytics Plus with a CVSS 3.x base score of 7.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-427.
Key facts
- Severity: High (CVSS 3.x base score 7.8)
- CVSS v2: 7.2
- EPSS exploit prediction: 2% (76th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-427
- Affected product: Zohocorp Manageengine Analytics Plus
- Published:
- Last modified:
Description
Multiple Zoho ManageEngine products suffer from local privilege escalation due to improper permissions for the %SYSTEMDRIVE%\ManageEngine directory and its sub-folders. Moreover, the services associated with said products try to execute binaries such as sc.exe from the current directory upon system start. This will effectively allow non-privileged users to escalate privileges to NT AUTHORITY\SYSTEM. This affects Desktop Central 10.0.380, EventLog Analyzer 12.0.2, ServiceDesk Plus 10.0.0, SupportCenter Plus 8.1, O365 Manager Plus 4.0, Mobile Device Manager Plus 9.0.0, Patch Connect Plus 9.0.0, Vulnerability Manager Plus 9.0.0, Patch Manager Plus 9.0.0, OpManager 12.3, NetFlow Analyzer 11.0, OpUtils 11.0, Network Configuration Manager 11.0, FireWall 12.0, Key Manager Plus 5.6, Password Manager Pro 9.9, Analytics Plus 1.0, and Browser Security Plus.
Frequently asked questions
- What is CVE-2019-12133?
- Multiple Zoho ManageEngine products suffer from local privilege escalation due to improper permissions for the %SYSTEMDRIVE%\ManageEngine directory and its sub-folders. Moreover, the services associated with said products try to execute binaries such as sc.exe from the current directory upon system start. This will effectively allow non-privileged users to escalate privileges to NT AUTHORITY\SYSTEM. This affects Desktop Central 10.0.380, EventLog Analyzer 12.0.2, ServiceDesk Plus 10.0.0, SupportCenter Plus 8.1, O365 Manager Plus 4.0, Mobile Device Manager Plus 9.0.0, Patch Connect Plus 9.0.0, Vulnerability Manager Plus 9.0.0, Patch Manager Plus 9.0.0, OpManager 12.3, NetFlow Analyzer 11.0, OpUtils 11.0, Network Configuration Manager 11.0, FireWall 12.0, Key Manager Plus 5.6, Password Manager Pro 9.9, Analytics Plus 1.0, and Browser Security Plus.
- How severe is CVE-2019-12133?
- CVE-2019-12133 has a CVSS 3.x base score of 7.8, rated high severity. It is exploitable over local access with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2019-12133 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 2% (76th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2019-12133?
- CVE-2019-12133 primarily affects Zohocorp Manageengine Analytics Plus. In total, 18 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2019-12133?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2019-12133 published?
- CVE-2019-12133 was published on 2019-06-18 and last updated on 2026-06-17.
References
- https://github.com/active-labs/Advisories/blob/master/2019/ACTIVE-2019-007.md
- https://www.manageengine.com/products/desktop-central/elevation-of-privilege-vulnerability.html
Affected products (18)
- cpe:2.3:a:zohocorp:manageengine_analytics_plus:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_browser_security_plus:-:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_desktop_central:10.0.380:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:12.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_firewall:12.0:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_key_manager_plus:5.6:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_mobile_device_manager_plus:9.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_netflow_analyzer:11.0:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_network_configuration_manager:11.0:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_o365_manager_plus:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_opmanager:12.3:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_oputils:11.0:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_password_manager_pro:9.9:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_patch_connect_plus:9.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_patch_manager_plus:9.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:10.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_supportcenter_plus:8.1:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_vulnerability_manager_plus:9.0.0:*:*:*:*:*:*:*
More vulnerabilities in Zohocorp Manageengine Analytics Plus
- CVE-2022-47966 — Critical (CVSS 9.8): Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due…
- CVE-2020-21642 — Critical (CVSS 9.8): Directory Traversal vulnerability ZDBQAREFSUBDIR parameter in /zropusermgmt API in Zoho ManageEngine Analytics Plus…
- CVE-2025-9428 — High (CVSS 8.3): Zohocorp ManageEngine Analytics Plus versions 6171 and prior are vulnerable to authenticated SQL Injection via the key…
- CVE-2024-52323 — High (CVSS 8.1): Zohocorp ManageEngine Analytics Plus versions below 6100 are vulnerable to authenticated sensitive data exposure which…
- CVE-2020-21641 — High (CVSS 7.5): Out-of-Band XML External Entity (OOB-XXE) vulnerability in Zoho ManageEngine Analytics Plus before 4.3.5 allows remote…
- CVE-2023-6105 — Medium (CVSS 5.5): An information disclosure vulnerability exists in multiple ManageEngine products that can result in encryption keys…
All CVEs affecting Zohocorp Manageengine Analytics Plus →
Other CWE-427 (Uncontrolled Search Path Element) vulnerabilities
- CVE-2025-4981 — Critical (CVSS 9.9): Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to…
- CVE-2025-69599 — Critical (CVSS 9.8): RayVentory Scan Engine through 12.6 Update 8 allows attackers to gain privileges if they control the value of the PATH…
- CVE-2019-25268 — Critical (CVSS 9.8): NREL BEopt 2.8.0.0 contains a DLL hijacking vulnerability that allows attackers to load arbitrary libraries by tricking…
- CVE-2023-53959 — Critical (CVSS 9.8): FileZilla Client 3.63.1 contains a DLL hijacking vulnerability that allows attackers to execute malicious code by…
- CVE-2025-65741 — Critical (CVSS 9.8): Sublime Text 3 Build 3208 or prior for MacOS is vulnerable to Dylib Injection. An attacker could compile a .dylib file…
- CVE-2024-23054 — Critical (CVSS 9.8): An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution…
Browse all CWE-427 (Uncontrolled Search Path Element) vulnerabilities →