ManageEngine Exchange Reporter Plus Remote Code Execution Vulnerability Alert

Recently, ManageEngine officially released a new version of Exchange Reporter Plus to fix a remote code execution vulnerability. The vulnerability stems from the Java servlet ‘ADSHACluster’ when a ‘bcp.exe’ file executed, and an attacker can bypass the ‘BCP_EXE’ parameter to execute code remotely.

ManageEngine Exchange Reporter Plus is a web-based Microsoft Exchange Server analysis and reporting solution. Exchange Reporter Plus is a comprehensive MS Exchange reporting software that provides over 100 different reports in all aspects of the Microsoft Exchange Server environment.

Affected version

• ManageEngine Exchange Reporter Plus <= 5310

Unaffected version

• ManageEngine Exchange Reporter Plus 5311

Solution

ManageEngine has released the latest version to fix the above vulnerability, and affected users should update it for protection.

Download