CVE-2014-7864

ManageEngine OpManager 8-11.5 - SQL Injection via FailOverHelperServlet Parameters

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-7864. PoCs published by Pedro Ribeiro.

AI-analyzed exploit summary The document describes multiple vulnerabilities in ManageEngine products, including arbitrary file download, directory listing, and blind SQL injection via the FailOverHelperServlet. It provides technical details and affected versions but does not include executable exploit code.

Description

Multiple SQL injection vulnerabilities in the FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine OpManager 8 through 11.5 build 11400 and IT360 10.5 and earlier allow remote attackers and remote authenticated users to execute arbitrary SQL commands via the (1) customerName or (2) serverRole parameter in a standbyUpdateInCentral operation to servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet.

Exploits (1)

exploitdb WRITEUP

by Pedro Ribeiro · textwebappsmultiple

https://www.exploit-db.com/exploits/43894

View Code ZIP pw:eip

The document describes multiple vulnerabilities in ManageEngine products, including arbitrary file download, directory listing, and blind SQL injection via the FailOverHelperServlet. It provides technical details and affected versions but does not include executable exploit code.

Classification

Writeup 100%

Attack Type

Sqli | Info Leak

Complexity

Trivial

Reliability

Reliable

Target: ManageEngine OpManager, Applications Manager, IT360

No auth needed

Prerequisites: Network access to the target servlet

MITRE ATT&CK

T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/100555

Exploit mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2015/Jan/114

Exploit x_refsource_misc

http://packetstormsecurity.com/files/130162/ManageEngine-File-Download-Content-Disclosure-SQL-Injection.html

Exploit x_refsource_confirm

https://support.zoho.com/portal/manageengine/helpcenter/articles/vulnerabilities-in-failoverhelperservlet

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/534575/100/0/threaded

Exploit x_refsource_misc

https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_failservlet.txt

Scores

EPSS 0.2267

EPSS Percentile 97.4%

Details

CWE

CWE-89

Status published

Products (14)

zohocorp/manageengine_opmanager 8.8

zohocorp/manageengine_opmanager 9.0

zohocorp/manageengine_opmanager 9.1

zohocorp/manageengine_opmanager 9.2

zohocorp/manageengine_opmanager 9.4

zohocorp/manageengine_opmanager 10.0

zohocorp/manageengine_opmanager 10.1

zohocorp/manageengine_opmanager 10.2

zohocorp/manageengine_opmanager 11.0

zohocorp/manageengine_opmanager 11.1

... and 4 more

Published Feb 04, 2015

Tracked Since Feb 18, 2026