CVE-2014-5445

ManageEngine Netflow Analyzer 8.6-10.2 and IT360 10.3 - Path Traversal via schFilePath Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2014-5445. Includes Metasploit module auxiliary/admin/http/netflow_file_download.

AI-analyzed exploit summary The document details an arbitrary file download vulnerability in ManageEngine NetFlow Analyzer and IT360, providing specific exploit paths and technical details. It includes a timeline of failed vendor communication and confirms the vulnerability remains unpatched.

Description

Multiple absolute path traversal vulnerabilities in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allow remote attackers or remote authenticated users to read arbitrary files via a full pathname in the schFilePath parameter to the (1) CSVServlet or (2) CReportPDFServlet servlet.

Exploits (2)

exploitdb WRITEUP
webappsmultiple
https://www.exploit-db.com/exploits/43895

The document details an arbitrary file download vulnerability in ManageEngine NetFlow Analyzer and IT360, providing specific exploit paths and technical details. It includes a timeline of failed vendor communication and confirms the vulnerability remains unpatched.

Classification
Writeup 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: ManageEngine NetFlow Analyzer v8.6 to v10.2, IT360 v10.3 and above
No auth needed
Prerequisites: Network access to the target system
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/http/netflow_file_download.rb

This Metasploit module exploits an arbitrary file download vulnerability in ManageEngine NetFlow Analyzer via the CSVServlet endpoint. It allows an attacker to download any file from the server by specifying the file path in the 'schFilePath' parameter.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: ManageEngine NetFlow Analyzer versions 8.6 to 10.2
No auth needed
Prerequisites: Network access to the target server · CSVServlet endpoint accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (9)

Core 9
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/99045
Exploit, Patch, Third Party Advisory, VDB Entry, Vendor Advisory x_refsource_misc
http://packetstormsecurity.com/files/129336/ManageEngine-Netflow-Analyzer-IT360-File-Download.html
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/534141/100/0/threaded
Exploit, Mailing List, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/71404
Exploit, Third Party Advisory x_refsource_misc
https://github.com/rapid7/metasploit-framework/pull/4282
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/534122/100/0/threaded
Exploit, Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2014/Dec/9

Scores

EPSS 0.9097
EPSS Percentile 99.7%

Details

CWE
CWE-22
Status published
Products (2)
zohocorp/manageengine_it360 10.3.0
zohocorp/manageengine_netflow_analyzer 8.6 - 10.2
Published Dec 04, 2014
Tracked Since Feb 18, 2026