CVE-2014-5301

HIGH

ManageEngine ServiceDesk Plus MSP 5-9.0.9030 Path Traversal

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2014-5301. PoCs published by Metasploit, including Metasploit module exploits/multi/http/manageengine_auth_upload.

AI-analyzed exploit summary This Metasploit module exploits a directory traversal vulnerability in ManageEngine products (CVE-2014-5301) to upload arbitrary files, achieving remote code execution. It supports multiple products and versions, with authentication handling for default or provided credentials.

Description

Directory traversal vulnerability in ServiceDesk Plus MSP v5 to v9.0 v9030; AssetExplorer v4 to v6.1; SupportCenter v5 to v7.9; IT360 v8 to v10.4.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotejava
https://www.exploit-db.com/exploits/35845

This Metasploit module exploits a directory traversal vulnerability in ManageEngine products (CVE-2014-5301) to upload arbitrary files, achieving remote code execution. It supports multiple products and versions, with authentication handling for default or provided credentials.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ManageEngine ServiceDesk Plus, AssetExplorer, SupportCenter Plus, IT360 (various versions)
Auth required
Prerequisites: Network access to target · Valid credentials or default credentials (guest/guest)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
rubypocjava
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/manageengine_auth_upload.rb

This Metasploit module exploits a directory traversal vulnerability in ManageEngine products (ServiceDesk, AssetExplorer, SupportCenter, IT360) to achieve authenticated file upload. It supports multiple versions and includes authentication handling for default or provided credentials.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ManageEngine ServiceDesk Plus, AssetExplorer, SupportCenter Plus, IT360 (versions prior to fixes)
Auth required
Prerequisites: Network access to target · Valid credentials or default credentials (guest/guest)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/35845/
Permissions Required third-party-advisory x_refsource_secunia
http://secunia.com/advisories/62105
Exploit, Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2015/Jan/5
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/99610
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/534377/100/0/threaded

Scores

CVSS v3 8.8
EPSS 0.7838
EPSS Percentile 99.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-22
Status published
Products (4)
manageengine/assetexplorer
manageengine/it360
manageengine/servicedesk_plus
manageengine/supportcenter
Published Aug 28, 2017
Tracked Since Feb 18, 2026