CVE-2019-8925

MEDIUM

ManageEngine Netflow Analyzer 7.0.0.2 Authenticated Path Traversal via CReportPDFServlet

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-8925. PoCs published by Rafael Pedrero.

AI-analyzed exploit summary This is a writeup documenting multiple XSS and path traversal vulnerabilities in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2. It includes descriptions, PoC URLs, and mitigation advice but does not contain executable exploit code.

Description

An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. An Absolute Path Traversal vulnerability in the Administration zone, in /netflow/servlet/CReportPDFServlet (via the parameter schFilePath), allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via any file name, such as a schFilePath=C:\boot.ini value.

Exploits (1)

exploitdb WRITEUP

by Rafael Pedrero · htmlwebappsjsp

https://www.exploit-db.com/exploits/46425

View Code ZIP pw:eip

This is a writeup documenting multiple XSS and path traversal vulnerabilities in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2. It includes descriptions, PoC URLs, and mitigation advice but does not contain executable exploit code.

Classification

Writeup 100%

Attack Type

Xss | Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2

Auth required

Prerequisites: Authenticated access to the administration zone

MITRE ATT&CK

T1059.007 - JavaScript T1006 - Direct Volume Access

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/151757/Zoho-ManageEngine-Netflow-Analyzer-Professional-7.0.0.2-Traversal-XSS.html

Product, Vendor Advisory x_refsource_misc

https://www.manageengine.com/products/netflow/?doc

Exploit, Mailing List, Not Applicable, Third Party Advisory x_refsource_misc

http://seclists.org/fulldisclosure/2019/Feb/45

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://www.exploit-db.com/exploits/46425/

Scores

CVSS v3 4.3

EPSS 0.0902

EPSS Percentile 92.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-22

Status published

Products (1)

zohocorp/manageengine_netflow_analyzer 7.0.0.2

Published May 17, 2019

Tracked Since Feb 18, 2026