CVE-2014-5007

CRITICAL

Zohocorp Manageengine Desktop Central < 9.0 - Path Traversal

Title source: rule

Description

Directory traversal vulnerability in the agentLogUploader servlet in ZOHO ManageEngine Desktop Central (DC) and Desktop Central Managed Service Providers (MSP) edition before 9 build 90055 allows remote attackers to write to and execute arbitrary files as SYSTEM via a .. (dot dot) in the filename parameter.

Exploits (3)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotewindows

https://www.exploit-db.com/exploits/29812

View Code ZIP pw:eip

exploitdb WORKING POC

by Pedro Ribeiro · textwebappsjsp

https://www.exploit-db.com/exploits/34518

View Code ZIP pw:eip

exploitdb WORKING POC

by Security-Assessment.com · textwebappsjsp

https://www.exploit-db.com/exploits/29674

View Code ZIP pw:eip

References (2)

[Exploit, Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2014/Aug/88

[Vendor Advisory] https://www.manageengine.com/products/desktop-central/remote-code-execution.html

Scores

CVSS v3 9.8

EPSS 0.4996

EPSS Percentile 97.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-22

Status published

Products (2)

zohocorp/manageengine_desktop_central 7.0 - 9.0

zohocorp/manageengine_desktop_central_managed_service_providers 7.0 - 9.0

Published Jan 17, 2020

Tracked Since Feb 18, 2026