CVE-2014-5446

ManageEngine Netflow Analyzer 8.6-10.2 and IT360 10.3 - Path Traversal via DisplayChartPDF Filename Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-5446. PoCs published by Pedro Ribeiro.

AI-analyzed exploit summary This is a writeup detailing arbitrary file download vulnerabilities in ManageEngine NetFlow Analyzer and IT360. It includes technical details, affected versions, and a timeline of failed disclosure attempts.

Description

Directory traversal vulnerability in the DisplayChartPDF servlet in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allows remote attackers and remote authenticated users to read arbitrary files via a .. (dot dot) in the filename parameter.

Exploits (1)

exploitdb WRITEUP

by Pedro Ribeiro · textwebappsmultiple

https://www.exploit-db.com/exploits/43895

View Code ZIP pw:eip

This is a writeup detailing arbitrary file download vulnerabilities in ManageEngine NetFlow Analyzer and IT360. It includes technical details, affected versions, and a timeline of failed disclosure attempts.

Classification

Writeup 100%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: ManageEngine NetFlow Analyzer v8.6 to v10.2, IT360 v10.3 and above

No auth needed

Prerequisites: Network access to the target system

MITRE ATT&CK

T1083 - File and Directory Discovery T1105 - Ingress Tool Transfer

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/99046

Exploit, Patch x_refsource_confirm

https://support.zoho.com/portal/manageengine/helpcenter/articles/cve-2014-5445-cve-2014-5446-fix-for-arbitrary-file-download

Exploit x_refsource_misc

http://packetstormsecurity.com/files/129336/ManageEngine-Netflow-Analyzer-IT360-File-Download.html

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/534141/100/0/threaded

Exploit vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/71404

Exploit x_refsource_misc

https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_netflow_it360_file_dl.txt

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/534122/100/0/threaded

Exploit mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2014/Dec/9

Scores

EPSS 0.5472

EPSS Percentile 98.9%

Details

CWE

CWE-22

Status published

Products (14)

zohocorp/manageengine_it360 10.3.0

zohocorp/manageengine_netflow_analyzer 8.6

zohocorp/manageengine_netflow_analyzer 9.0

zohocorp/manageengine_netflow_analyzer 9.1

zohocorp/manageengine_netflow_analyzer 9.5

zohocorp/manageengine_netflow_analyzer 9.6

zohocorp/manageengine_netflow_analyzer 9.7

zohocorp/manageengine_netflow_analyzer 9.8

zohocorp/manageengine_netflow_analyzer 9.8.5

zohocorp/manageengine_netflow_analyzer 9.8.6

... and 4 more

Published Dec 04, 2014

Tracked Since Feb 18, 2026