CVE-2014-6037

ManageEngine EventLog Analyzer 9.0/8.2 - Remote Code Execution via ZIP Traversal

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2014-6037. PoCs published by Metasploit, Hans-Martin Muench, h0ng10, including Metasploit module exploits/multi/http/eventlog_file_upload.

AI-analyzed exploit summary This Metasploit module exploits an unauthenticated file upload vulnerability in ManageEngine Eventlog Analyzer via the agentUpload servlet, allowing remote code execution through insecure handling of ZIP file contents. It supports multiple versions (7.0-9.9) and platforms (Windows/Linux/Java).

Description

Directory traversal vulnerability in the agentUpload servlet in ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 allows remote attackers to execute arbitrary code by uploading a ZIP file which contains an executable file with .. (dot dot) sequences in its name, then accessing the executable via a direct request to the file under the web root. Fixed in Build 11072.

Exploits (3)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotemultiple

https://www.exploit-db.com/exploits/34670

View Code ZIP pw:eip

This Metasploit module exploits an unauthenticated file upload vulnerability in ManageEngine Eventlog Analyzer via the agentUpload servlet, allowing remote code execution through insecure handling of ZIP file contents. It supports multiple versions (7.0-9.9) and platforms (Windows/Linux/Java).

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: ManageEngine Eventlog Analyzer v7.0 - v9.9 b9002

No auth needed

Prerequisites: Network access to target · ManageEngine Eventlog Analyzer running on port 8400

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 18, 2026 Full analysis →

exploitdb WORKING POC

by Hans-Martin Muench · textwebappsjsp

https://www.exploit-db.com/exploits/34519

View Code ZIP pw:eip

This exploit demonstrates an unauthenticated remote code execution vulnerability in ManageEngine EventLog Analyzer via a malicious ZIP file upload to the 'agentUpload' servlet, allowing arbitrary file placement in the web root. It also highlights an authorization bypass issue enabling low-privileged users to access the database browser.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: ManageEngine EventLog Analyzer 9.9 (Build 9002) and earlier

No auth needed

Prerequisites: Network access to the target server · Ability to craft a malicious ZIP file using evilarc

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by h0ng10 · rubypocjava

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/eventlog_file_upload.rb

View Code ZIP pw:eip

This Metasploit module exploits an unauthenticated file upload vulnerability in ManageEngine Eventlog Analyzer (CVE-2014-6037) by uploading a malicious ZIP file containing a JSP payload, leading to remote code execution. It supports multiple versions and platforms, including Java, Windows, and Linux targets.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: ManageEngine Eventlog Analyzer v7.0 - v9.9 b9002

No auth needed

Prerequisites: Network access to the target's HTTP service (port 8400 by default) · Vulnerable version of ManageEngine Eventlog Analyzer

MITRE ATT&CK