CVE-2014-7862

CRITICAL

Zohocorp Desktop Central < 90109 - Access Control

Title source: rule

Description

The DCPluginServelet servlet in ManageEngine Desktop Central and Desktop Central MSP before build 90109 allows remote attackers to create administrator accounts via an addPlugInUser action.

Exploits (2)

exploitdb WORKING POC

by Pedro Ribeiro · textwebappsmultiple

https://www.exploit-db.com/exploits/43892

View Code ZIP pw:eip

metasploit WORKING POC

rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/http/manage_engine_dc_create_admin.rb

View Code ZIP pw:eip

References (8)

[Issue Tracking, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/129769/Desktop-Central-Add-Administrator.html

[Issue Tracking, Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2015/Jan/2

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/71849

[Issue Tracking, Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/99595

[Third Party Advisory] https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_dc9_admin.txt

[Third Party Advisory] https://www.manageengine.com/products/desktop-central/cve20147862-unauthorized-account-creation.html

[Exploit, Third Party Advisory] https://www.rapid7.com/db/modules/auxiliary/admin/http/manage_engine_dc_create_admin

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/534356/100/0/threaded

Scores

CVSS v3 9.8

EPSS 0.8140

EPSS Percentile 99.2%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-264

Status published

Products (2)

zohocorp/desktop_central < 90109

zohocorp/desktop_central 7

Published Jan 04, 2018

Tracked Since Feb 18, 2026