Template / PR Information

• Added CVE-2021-3287 — ManageEngine OpManager Deserialization RCE

• This template sends a serialized Java integer (1002) to the vulnerable SUMHandShakeServlet endpoint. If the response includes a valid Java serialized stream header (0xaced0005), the system is likely vulnerable to unauthenticated Java deserialization (CVE-2021-3287).

• References:

  • https://haxolot.com/posts/2021/manageengine_opmanager_pre_auth_rce/
  • https://nvd.nist.gov/vuln/detail/CVE-2021-3287

Template Validation

I’ve validated this template locally?

• YES
• NO

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.4.5

                projectdiscovery.io

[INF] Current nuclei version: v3.4.5 (latest)
[INF] Current nuclei-templates version: v10.2.3 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 105
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] Running httpx on input host
[INF] Found 1 URL from httpx
[INF] [CVE-2021-3287] Dumped HTTP request for http://192.168.31.102:8060/servlets/com.adventnet.tools.sum.transport.SUMHandShakeServlet

POST /servlets/com.adventnet.tools.sum.transport.SUMHandShakeServlet HTTP/1.1
Host: 192.168.31.102:8060
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.1 Safari/605.1.15        
Connection: close
Content-Length: 10
Content-Type: application/octet-stream
Accept-Encoding: gzip

��w�
[DBG] [CVE-2021-3287] Dumped HTTP response http://192.168.31.102:8060/servlets/com.adventnet.tools.sum.transport.SUMHandShakeServlet

HTTP/1.1 200
Connection: close
Transfer-Encoding: chunked
Date: Thu, 26 Jun 2025 10:49:45 GMT
Set-Cookie: JSESSIONID=16D93DD06E361B48F5193432F2D1A52D; Path=/; HttpOnly
Vary: Accept-Encoding


00000000  ac ed 00 05                                       |....|
[CVE-2021-3287:status-1] [http] [critical] http://192.168.31.102:8060/servlets/com.adventnet.tools.sum.transport.SUMHandShakeServlet       
[CVE-2021-3287:binary-2] [http] [critical] http://192.168.31.102:8060/servlets/com.adventnet.tools.sum.transport.SUMHandShakeServlet       
[INF] Scan completed in 22.190292ms. 2 matches found.

Additional Details (leave it blank if not applicable)

/claim #12474

Additional References:

• Nuclei Template Creation Guideline
• Nuclei Template Matcher Guideline
• Nuclei Template Contribution Guideline
• PD-Community Discord server