CVE-2011-2755

ManageEngine ServiceDesk Plus 8.0 - Path Traversal via FileDownload.jsp

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2011-2755.

AI-analyzed exploit summary The exploit demonstrates a directory traversal vulnerability in ManageEngine Support Center Plus 7.8 build <= 7801, allowing unauthenticated attackers to read arbitrary files on the server by manipulating the 'path' parameter in the FileDownload.jsp endpoint.

Description

Directory traversal vulnerability in FileDownload.jsp in ManageEngine ServiceDesk Plus 8.0 before Build 8012 allows remote attackers to read arbitrary files via unspecified vectors.

Exploits (3)

exploitdb WORKING POC
webappsjsp
https://www.exploit-db.com/exploits/17442

The exploit demonstrates a directory traversal vulnerability in ManageEngine Support Center Plus 7.8 build <= 7801, allowing unauthenticated attackers to read arbitrary files on the server by manipulating the 'path' parameter in the FileDownload.jsp endpoint.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: ManageEngine Support Center Plus 7.8 build <= 7801
No auth needed
Prerequisites: Network access to the target server
devstral-2 · analyzed Feb 19, 2026 Full analysis →
exploitdb WRITEUP
webappsjsp
https://www.exploit-db.com/exploits/17437

The document describes a directory traversal vulnerability in ManageEngine ServiceDesk Plus 8.0, allowing attackers to access local files via crafted requests. It includes a proof-of-concept request demonstrating the issue and references the patch.

Classification
Writeup 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: ManageEngine ServiceDesk Plus 8.0
No auth needed
Prerequisites: Network access to the target server
devstral-2 · analyzed Feb 19, 2026 Full analysis →
exploitdb WORKING POC
perlwebappsjsp
https://www.exploit-db.com/exploits/17503

This Perl script exploits a directory traversal vulnerability in ManageEngine ServiceDesk <= 8.0.0.12 to disclose database backup files. It constructs paths to access server logs and backup directories, then generates download links for these files.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: ManageEngine ServiceDesk <= 8.0.0.12
No auth needed
Prerequisites: Network access to the target server · FileDownload.jsp endpoint must be accessible
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1
Core References
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/543310

Scores

EPSS 0.0285
EPSS Percentile 86.6%

Details

CWE
CWE-22
Status published
Products (1)
manageengine/servicedesk_plus 8.0
Published Jul 17, 2011
Tracked Since Feb 18, 2026