CVE-2014-6036

ManageEngine OpManager <11.3, Social IT Plus 11.0, IT360 <=10.4 - Path Traversal & File Deletion

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-6036.

AI-analyzed exploit summary This is a detailed technical writeup describing multiple vulnerabilities in ManageEngine products, including remote code execution via WAR file upload, arbitrary file deletion, and blind SQL injection. It provides specific endpoints, payload formats, and affected versions.

Description

Directory traversal vulnerability in the multipartRequest servlet in ZOHO ManageEngine OpManager 11.3 and earlier, Social IT Plus 11.0, and IT360 10.3, 10.4, and earlier allows remote attackers or remote authenticated users to delete arbitrary files via a .. (dot dot) in the fileName parameter.

Exploits (1)

exploitdb WRITEUP
webappsmultiple
https://www.exploit-db.com/exploits/43896

This is a detailed technical writeup describing multiple vulnerabilities in ManageEngine products, including remote code execution via WAR file upload, arbitrary file deletion, and blind SQL injection. It provides specific endpoints, payload formats, and affected versions.

Classification
Writeup 100%
Attack Type
Rce | Sqli | Other
Complexity
Moderate
Reliability
Reliable
Target: ManageEngine OpManager, Social IT Plus, IT360
No auth needed
Prerequisites: Network access to the target · Specific versions of ManageEngine products
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (3)

Core 3

Scores

EPSS 0.3912
EPSS Percentile 98.4%

Details

CWE
CWE-22
Status published
Products (4)
zohocorp/manageengine_it360 10.3.0
zohocorp/manageengine_it360 < 10.4
zohocorp/manageengine_opmanager < 11.3
zohocorp/manageengine_social_it_plus 11.0
Published Dec 04, 2014
Tracked Since Feb 18, 2026