CVE-2019-11448

CRITICAL

Zoho ManageEngine Applications Manager <14.0 - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-11448. PoCs published by AkkuS.

AI-analyzed exploit summary This Metasploit module exploits a SQL injection vulnerability in ManageEngine Applications Manager versions 11.0 to 14.0, allowing unauthenticated remote code execution by writing a malicious VBS file to the system. It also dumps user credentials from the database.

Description

An issue was discovered in Zoho ManageEngine Applications Manager 11.0 through 14.0. An unauthenticated user can gain the authority of SYSTEM on the server due to a Popup_SLA.jsp sid SQL injection vulnerability. For example, the attacker can subsequently write arbitrary text to a .vbs file.

Exploits (1)

exploitdb WORKING POC

by AkkuS · rubyremotewindows

https://www.exploit-db.com/exploits/46725

View Code ZIP pw:eip

This Metasploit module exploits a SQL injection vulnerability in ManageEngine Applications Manager versions 11.0 to 14.0, allowing unauthenticated remote code execution by writing a malicious VBS file to the system. It also dumps user credentials from the database.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: ManageEngine Applications Manager 11.0 - 14.0

No auth needed

Prerequisites: Network access to the target server · Target server running ManageEngine Applications Manager 11.0 - 14.0

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter T1005 - Data from Local System

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/46725/

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://www.exploit-db.com/exploits/46725

Exploit, Third Party Advisory x_refsource_misc

https://pentest.com.tr/exploits/ManageEngine-App-Manager-14-SQLi-Remote-Code-Execution.html

Vendor Advisory x_refsource_confirm

https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2019-11448.html

Scores

CVSS v3 9.8

EPSS 0.1711

EPSS Percentile 95.2%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (1)

zohocorp/manageengine_applications_manager 11.0 - 14.0

Published Apr 22, 2019

Tracked Since Feb 18, 2026