CVE-2020-15394

CRITICAL

Zoho ManageEngine Applications Manager <build 14740 - RCE

Title source: llm

Description

The REST API in Zoho ManageEngine Applications Manager before build 14740 allows an unauthenticated SQL Injection via a crafted request, leading to Remote Code Execution.

Exploits (1)

nomisec WORKING POC

by trungtin1998 · poc

https://github.com/trungtin1998/CVE-2020-15394-PoC

View Code ZIP pw:eip

References (3)

[Product] https://www.manageengine.com

[Vendor Advisory] https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2020-15394.html

[Vendor Advisory] https://www.manageengine.com/products/applications_manager/issues.html#v14740

Scores

CVSS v3 9.8

EPSS 0.3137

EPSS Percentile 96.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (1)

zohocorp/manageengine_applications_manager 14.0 (50 CPE variants)

Published Sep 25, 2020

Tracked Since Feb 18, 2026