CVE-2014-7868

ManageEngine OpManager 11.3-11.4, IT360 10.3-10.4, Social IT Plus 11.0 SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2014-7868. PoCs published by Pedro Ribeiro.

AI-analyzed exploit summary The document describes multiple vulnerabilities in ManageEngine OpManager, Social IT Plus, and IT360, including unauthenticated remote code execution via file upload (CVE-2014-7866) and blind SQL injection (CVE-2014-7868). It provides technical details, affected versions, and mitigation steps.

Description

Multiple SQL injection vulnerabilities in ZOHO ManageEngine OpManager 11.3 and 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allow remote attackers or remote authenticated users to execute arbitrary SQL commands via the (1) OPM_BVNAME parameter in a Delete operation to the APMBVHandler servlet or (2) query parameter in a compare operation to the DataComparisonServlet servlet.

Exploits (2)

exploitdb WRITEUP
by Pedro Ribeiro · textwebappsjsp
https://www.exploit-db.com/exploits/35209

The document describes multiple vulnerabilities in ManageEngine OpManager, Social IT Plus, and IT360, including unauthenticated remote code execution via file upload (CVE-2014-7866) and blind SQL injection (CVE-2014-7868). It provides technical details, affected versions, and mitigation steps.

Classification
Writeup 100%
Attack Type
Rce | Sqli
Complexity
Moderate
Reliability
Reliable
Target: ManageEngine OpManager (v8 build 88XX to 11.4), IT360 (10.3/10.4), Social IT (11.0)
No auth needed
Prerequisites: Network access to the target · Vulnerable version of ManageEngine software
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP
by Pedro Ribeiro · textwebappsmultiple
https://www.exploit-db.com/exploits/43896

This is a detailed writeup describing multiple vulnerabilities in ManageEngine OpManager, Social IT Plus, and IT360, including remote code execution, arbitrary file deletion, and blind SQL injection. It provides technical details, affected versions, and mitigation steps but does not include actual exploit code.

Classification
Writeup 100%
Attack Type
Rce | Sqli | Other
Complexity
Moderate
Reliability
Theoretical
Target: ManageEngine OpManager v8.8 to v11.4, Social IT Plus v11.0, IT360 v? to v10.4
No auth needed
Prerequisites: Network access to the target system · Vulnerable version of ManageEngine software
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6

Scores

EPSS 0.7332
EPSS Percentile 99.4%

Details

CWE
CWE-89
Status published
Products (5)
zohocorp/manageengine_it360 10.3.0
zohocorp/manageengine_it360 10.4
zohocorp/manageengine_opmanager 11.3
zohocorp/manageengine_opmanager 11.4
zohocorp/manageengine_social_it_plus 11.0
Published Dec 04, 2014
Tracked Since Feb 18, 2026