CVE-2019-11469

CRITICAL

Zoho ManageEngine Apps Mgr <15 - SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-11469. PoCs published by AkkuS.

AI-analyzed exploit summary This Metasploit module exploits an SQL injection and command injection vulnerability in ManageEngine Applications Manager versions prior to 14.0. It bypasses authentication by creating a new admin user via SQLi and then uploads a malicious file to achieve remote command execution.

Description

Zoho ManageEngine Applications Manager 12 through 14 allows FaultTemplateOptions.jsp resourceid SQL injection. Subsequently, an unauthenticated user can gain the authority of SYSTEM on the server by uploading a malicious file via the "Execute Program Action(s)" feature.

Exploits (1)

exploitdb WORKING POC
by AkkuS · rubyremotemultiple
https://www.exploit-db.com/exploits/46740

This Metasploit module exploits an SQL injection and command injection vulnerability in ManageEngine Applications Manager versions prior to 14.0. It bypasses authentication by creating a new admin user via SQLi and then uploads a malicious file to achieve remote command execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ManageEngine Applications Manager < 14.0
No auth needed
Prerequisites: Network access to the target server on port 8443 · SSL/TLS enabled on the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (5)

Core 5
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/46740/
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://www.exploit-db.com/exploits/46740

Scores

CVSS v3 9.8
EPSS 0.0645
EPSS Percentile 91.3%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (1)
zohocorp/manageengine_applications_manager 12.0 - 14.0
Published Apr 23, 2019
Tracked Since Feb 18, 2026