CVE-2014-9619

HIGH

Netsweeper < 3.1.10, 4.0.x < 4.0.9, 4.1.x < 4.1.2 - Authenticated PHP Code Execution via File Upload

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-9619. PoCs published by Anastasios Monachos.

AI-analyzed exploit summary This writeup describes an arbitrary file upload vulnerability in Netsweeper 4.0.8, allowing authenticated admin users to upload and execute malicious PHP code disguised as a GIF file. The exploit leverages the AJAX file manager to bypass restrictions and achieve remote code execution.

Description

Unrestricted file upload vulnerability in webadmin/ajaxfilemanager/ajaxfilemanager.php in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote authenticated users with admin privileges on the Cloud Manager web console to execute arbitrary PHP code by uploading a file with a double extension, then accessing it via a direct request to the file in webadmin/deny/images/, as demonstrated by secuid0.php.gif.

Exploits (1)

exploitdb WRITEUP

by Anastasios Monachos · textwebappsphp

https://www.exploit-db.com/exploits/37932

View Code ZIP pw:eip

This writeup describes an arbitrary file upload vulnerability in Netsweeper 4.0.8, allowing authenticated admin users to upload and execute malicious PHP code disguised as a GIF file. The exploit leverages the AJAX file manager to bypass restrictions and achieve remote code execution.

Classification

Writeup 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Netsweeper 4.0.8

Auth required

Prerequisites: Admin privileges on the Cloud Manager web console

MITRE ATT&CK

T1105 - Ingress Tool Transfer T1204 - User Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/133034/Netsweeper-Bypass-XSS-Redirection-SQL-Injection-Execution.html

Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/37932/

Scores

CVSS v3 7.2

EPSS 0.0735

EPSS Percentile 93.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (12)

netsweeper/netsweeper 4.0.0

netsweeper/netsweeper 4.0.1

netsweeper/netsweeper 4.0.2

netsweeper/netsweeper 4.0.3

netsweeper/netsweeper 4.0.4

netsweeper/netsweeper 4.0.5

netsweeper/netsweeper 4.0.6

netsweeper/netsweeper 4.0.7

netsweeper/netsweeper 4.0.8

netsweeper/netsweeper 4.1.0

... and 2 more

Published Sep 19, 2017

Tracked Since Feb 18, 2026