CVE-2014-5005

Zohocorp Manageengine Desktop Central < 9.0 - Path Traversal

Title source: rule

Description

Directory traversal vulnerability in ZOHO ManageEngine Desktop Central (DC) before 9 build 90055 allows remote attackers to execute arbitrary code via a .. (dot dot) in the fileName parameter in an LFU action to statusUpdate.

Exploits (3)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotewindows

https://www.exploit-db.com/exploits/34594

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/desktopcentral_statusupdate_upload.rb

View Code ZIP pw:eip

exploitdb WRITEUP

webappsjsp

https://www.exploit-db.com/exploits/34518

View on exploitdb

References (5)

[Exploit] http://seclists.org/fulldisclosure/2014/Aug/88

[Exploit] http://www.exploit-db.com/exploits/34594

[Exploit] https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_dc9_file_upload.txt

[Various Sources] https://www.manageengine.com/products/desktop-central/remote-code-execution.html

[Third Party Advisory, VDB Entry] http://osvdb.org/show/osvdb/110643

Scores

EPSS 0.8582

EPSS Percentile 99.4%

Classification

CWE

CWE-22

Status draft

Affected Products (1)

zohocorp/manageengine_desktop_central < 9.0

Timeline

Published Oct 21, 2014

Tracked Since Feb 18, 2026