CVE-2019-8394

MEDIUM KEV

ManageEngine ServiceDesk Plus < 10.0 - Unauthenticated Arbitrary File Upload via Login Page Customization

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-8394 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 2 public exploits from researchers including Dao Duy Hung, including a Metasploit module exploits/multi/http/manageengine_sd_uploader.

AI-analyzed exploit summary This exploit demonstrates an arbitrary file upload vulnerability in Zoho ManageEngine ServiceDesk Plus before 10.0 build 10012. By setting the 'module' parameter to 'CustomLogin', the file extension check is bypassed, allowing an authenticated user to upload a malicious JSP file to the server.

Description

Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization.

Exploits (2)

exploitdb WORKING POC
by Dao Duy Hung · textwebappsjsp
https://www.exploit-db.com/exploits/46413

This exploit demonstrates an arbitrary file upload vulnerability in Zoho ManageEngine ServiceDesk Plus before 10.0 build 10012. By setting the 'module' parameter to 'CustomLogin', the file extension check is bypassed, allowing an authenticated user to upload a malicious JSP file to the server.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Zoho ManageEngine ServiceDesk Plus before 10.0 build 10012
Auth required
Prerequisites: Authenticated access to the application · Network access to the target server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
rubypocjava
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/manageengine_sd_uploader.rb

This Metasploit module exploits an unauthenticated file upload vulnerability in ManageEngine ServiceDesk Plus (CVE-2019-8394) by uploading a malicious EAR file containing a WAR payload, leading to remote code execution on vulnerable versions (v9 b9000 - b9102).

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ManageEngine ServiceDesk Plus v9 b9000 - b9102
No auth needed
Prerequisites: Network access to the target's ServiceDesk Plus instance · Vulnerable version of ServiceDesk Plus (v9 b9000 - b9102)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/46413/
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/107129
Release Notes, Vendor Advisory x_refsource_confirm
https://www.manageengine.com/products/service-desk/readme.html

Scores

CVSS v3 6.5
EPSS 0.6405
EPSS Percentile 99.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact partial

Details

CISA KEV 2021-11-03
VulnCheck KEV 2020-12-23
InTheWild.io 2021-07-23
ENISA EUVD EUVD-2019-17784
CWE
CWE-434
Status published
Products (2)
zohocorp/manageengine_servicedesk_plus 10.0.0 (13 CPE variants)
zohocorp/manageengine_servicedesk_plus < 10.0.0
Published Feb 17, 2019
KEV Added Nov 03, 2021
Tracked Since Feb 18, 2026