CVE-2016-9488

CRITICAL

ManageEngine Applications Manager 12-13 < 13200 - Unauthenticated SQL Injection via MenuHandlerServlet

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-9488. PoCs published by aldorm.

AI-analyzed exploit summary This Python script exploits a SQL injection vulnerability in ManageEngine Applications Manager's MenuHandlerServlet to extract user credentials and optionally create a new admin user. It demonstrates the vulnerability by injecting SQL queries via the 'config_id' parameter.

Description

ManageEngine Applications Manager versions 12 and 13 before build 13200 suffer from remote SQL injection vulnerabilities. An unauthenticated attacker is able to access the URL /servlet/MenuHandlerServlet, which is vulnerable to SQL injection. The attacker could extract users' password hashes, which are MD5 hashes without salt, and, depending on the database type and its configuration, could also execute operating system commands using SQL queries.

Exploits (1)

exploitdb WORKING POC

by aldorm · pythonwebappsjava

https://www.exploit-db.com/exploits/48692

View Code ZIP pw:eip

This Python script exploits a SQL injection vulnerability in ManageEngine Applications Manager's MenuHandlerServlet to extract user credentials and optionally create a new admin user. It demonstrates the vulnerability by injecting SQL queries via the 'config_id' parameter.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: ManageEngine Applications Manager 12 and 13 before Build 13200

No auth needed

Prerequisites: Network access to the target server · ManageEngine Applications Manager running a vulnerable version

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2017/Apr/9

Third Party Advisory, VDB Entry x_refsource_misc

https://packetstormsecurity.com/files/142022/ManageEngine-Applications-Manager-12-13-XSS-SQL-Injection-Code-Execution.html

Various Sources x_refsource_confirm

https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2016-9488.html

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/97394

Exploit, Third Party Advisory x_refsource_misc

http://packetstormsecurity.com/files/158554/ManageEngine-Applications-Manager-13-SQL-Injection.html

Scores

CVSS v3 9.8

EPSS 0.0440

EPSS Percentile 89.3%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (2)

manageengine/applications_manager 12.0

manageengine/applications_manager 13.0

Published Jun 05, 2018

Tracked Since Feb 18, 2026