CVE-2019-19650

HIGH

Zoho ManageEngine Applications Manager <13640 - SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-19650. PoCs published by eLeN3Re.

AI-analyzed exploit summary The repository provides a technical description of a blind SQL injection vulnerability in Zoho ManageEngine Applications Manager before version 13640, affecting the Agent servlet's agentid parameter. It references an external PDF for detailed technical analysis but lacks exploit code or in-depth technical walkthroughs in the README.

Description

Zoho ManageEngine Applications Manager before 13640 allows a remote authenticated SQL injection via the Agent servlet agentid parameter to the Agent.java process function.

Exploits (1)

gitlab WRITEUP
by eLeN3Re · poc
https://gitlab.com/eLeN3Re/CVE-2019-19650

The repository provides a technical description of a blind SQL injection vulnerability in Zoho ManageEngine Applications Manager before version 13640, affecting the Agent servlet's agentid parameter. It references an external PDF for detailed technical analysis but lacks exploit code or in-depth technical walkthroughs in the README.

Classification
Writeup 80%
Attack Type
Sqli
Complexity
Moderate
Reliability
Theoretical
Target: Zoho ManageEngine Applications Manager before 13640
Auth required
Prerequisites: authenticated access to the application
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (2)

Core 2
Core References
Release Notes, Vendor Advisory x_refsource_confirm
https://www.manageengine.com/products/applications_manager/release-notes.html
Third Party Advisory x_refsource_misc
https://gitlab.com/eLeN3Re/CVE-2019-19650

Scores

CVSS v3 8.8
EPSS 0.0568
EPSS Percentile 92.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (1)
zohocorp/manageengine_applications_manager < 13.7
Published Dec 11, 2019
Tracked Since Feb 18, 2026