CVE-2014-6035

ManageEngine OpManager < 11.3 - Path Traversal and Arbitrary File Write via FileCollector Servlet FILENAME Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-6035.

AI-analyzed exploit summary This is a detailed technical writeup describing multiple vulnerabilities in ManageEngine OpManager, Social IT Plus, and IT360, including remote code execution via WAR file upload, arbitrary file deletion, and blind SQL injection. It provides specific endpoints, payloads, and affected versions for each vulnerability.

Description

Directory traversal vulnerability in the FileCollector servlet in ZOHO ManageEngine OpManager 11.4, 11.3, and earlier allows remote attackers to write and execute arbitrary files via a .. (dot dot) in the FILENAME parameter.

Exploits (1)

exploitdb WRITEUP
webappsmultiple
https://www.exploit-db.com/exploits/43896

This is a detailed technical writeup describing multiple vulnerabilities in ManageEngine OpManager, Social IT Plus, and IT360, including remote code execution via WAR file upload, arbitrary file deletion, and blind SQL injection. It provides specific endpoints, payloads, and affected versions for each vulnerability.

Classification
Writeup 100%
Attack Type
Rce | Sqli | Other
Complexity
Moderate
Reliability
Reliable
Target: ManageEngine OpManager v8.8 to v11.4, Social IT Plus v11.0, IT360 v? to v10.4
No auth needed
Prerequisites: Network access to the target system · Knowledge of vulnerable endpoints
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (3)

Core 3

Scores

EPSS 0.2620
EPSS Percentile 97.7%

Details

CWE
CWE-22
Status published
Products (2)
zohocorp/manageengine_opmanager 11.4
zohocorp/manageengine_opmanager < 11.3
Published Dec 04, 2014
Tracked Since Feb 18, 2026