CVE-2023-23076: 
Zoho ManageEngine SupportCenter Plus vulnerability analysis and mitigation

CVE-2023-23076 is an OS command injection vulnerability discovered in ManageEngine SupportCenter Plus version 11027 and older versions. The vulnerability was identified in the Support Center Plus 11 via Executor in Action component when creating new schedules. The issue was disclosed and fixed on February 2, 2023, with the release of version 14000 (ManageEngine Advisory).

The vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command Injection). It received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a critical severity level with network accessibility, low attack complexity, and no required privileges or user interaction (NVD).

The vulnerability allows threat actors with admin role access to inject and execute arbitrary OS commands on the target server, potentially leading to further attacks and system compromise (ManageEngine Advisory).

ManageEngine has addressed this vulnerability by modifying the way OS commands are input and script executions are configured. The fix involves uploading commands in specific folders and pulling them using a TXT file. Users are strongly advised to upgrade to version 14000 or later to remediate this vulnerability (ManageEngine Advisory).