CVE-2014-7862

CRITICAL

ManageEngine Desktop Central < 90109 - Unauthenticated Administrator Account Creation via DCPluginServelet

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2014-7862. PoCs published by Pedro Ribeiro, including Metasploit module auxiliary/admin/http/manage_engine_dc_create_admin.

AI-analyzed exploit summary This exploit demonstrates an unauthenticated administrator account creation vulnerability in ManageEngine Desktop Central. By sending a crafted GET request to the DCPluginServelet endpoint, an attacker can create a new admin user with a known password, enabling full control over managed devices.

Description

The DCPluginServelet servlet in ManageEngine Desktop Central and Desktop Central MSP before build 90109 allows remote attackers to create administrator accounts via an addPlugInUser action.

Exploits (2)

exploitdb WORKING POC
by Pedro Ribeiro · textwebappsmultiple
https://www.exploit-db.com/exploits/43892

This exploit demonstrates an unauthenticated administrator account creation vulnerability in ManageEngine Desktop Central. By sending a crafted GET request to the DCPluginServelet endpoint, an attacker can create a new admin user with a known password, enabling full control over managed devices.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: ManageEngine Desktop Central (versions 7 onwards, pre-9.0 build 90109)
No auth needed
Prerequisites: Network access to the target server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/http/manage_engine_dc_create_admin.rb

This Metasploit module exploits an administrator account creation vulnerability in ManageEngine Desktop Central by sending a crafted request to DCPluginServelet. It creates a new admin account with specified credentials without requiring authentication.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: ManageEngine Desktop Central v7 onwards
No auth needed
Prerequisites: Network access to the target · Target running ManageEngine Desktop Central
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8
Core References
Issue Tracking, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/129769/Desktop-Central-Add-Administrator.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/71849
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/534356/100/0/threaded
Issue Tracking, Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/99595
Issue Tracking, Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2015/Jan/2

Scores

CVSS v3 9.8
EPSS 0.8140
EPSS Percentile 99.2%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-264
Status published
Products (2)
zohocorp/desktop_central < 90109
zohocorp/desktop_central 7
Published Jan 04, 2018
Tracked Since Feb 18, 2026