CVE-2018-7890

CRITICAL

Zoho ManageEngine Applications Manager <13.6 - Command Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2018-7890. PoCs published by Mehmet Ince, Mehmet Ince <[email protected]>, including Metasploit module exploits/windows/http/manageengine_appmanager_exec.

AI-analyzed exploit summary This Metasploit module exploits a command injection vulnerability in ManageEngine Applications Manager via the `testCredential.do` endpoint, allowing unauthenticated RCE by injecting a PowerShell payload into the `UserName` parameter when the `type` is set to `OfficeSharePointServer`.

Description

A remote code execution issue was discovered in Zoho ManageEngine Applications Manager before 13.6 (build 13640). The publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials by accessing a specified system. This endpoint calls several internal classes, and then executes a PowerShell script. If the specified system is OfficeSharePointServer, then the username and password parameters to this script are not validated, leading to Command Injection.

Exploits (2)

exploitdb WORKING POC
by Mehmet Ince · rubywebappsjava
https://www.exploit-db.com/exploits/44274

This Metasploit module exploits a command injection vulnerability in ManageEngine Applications Manager via the `testCredential.do` endpoint, allowing unauthenticated RCE by injecting a PowerShell payload into the `UserName` parameter when the `type` is set to `OfficeSharePointServer`.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ManageEngine Applications Manager (versions affected by CVE-2018-7890)
No auth needed
Prerequisites: Network access to the target's port 9090 · Vulnerable version of ManageEngine Applications Manager
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Mehmet Ince <[email protected]> · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/manageengine_appmanager_exec.rb

This Metasploit module exploits a command injection vulnerability in ManageEngine Applications Manager via the `testCredential.do` endpoint, allowing unauthenticated RCE by injecting a PowerShell payload into the `UserName` parameter.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: ManageEngine Applications Manager (versions affected by CVE-2018-7890)
No auth needed
Prerequisites: Network access to the target's port 9090 · Vulnerable version of ManageEngine Applications Manager
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Exploit, Technical Description, Third Party Advisory x_refsource_misc
https://pentest.blog/advisory-manageengine-applications-manager-remote-code-execution-sqli-and/
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44274/
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/103358
Exploit, Third Party Advisory x_refsource_misc
https://github.com/rapid7/metasploit-framework/pull/9684

Scores

CVSS v3 9.8
EPSS 0.8628
EPSS Percentile 99.4%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-78
Status published
Products (1)
zohocorp/manageengine_applications_manager < 13.6
Published Mar 08, 2018
Tracked Since Feb 18, 2026