cbcvebase.
CVE-2013-7390
published 2020-01-27

CVE-2013-7390: Unrestricted file upload vulnerability in AgentLogUploadServlet in ManageEngine DesktopCentral 7.x and 8.0.0 before build 80293 allows remote attackers to…

PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
74.53%
99.4th percentile
Unrestricted file upload vulnerability in AgentLogUploadServlet in ManageEngine DesktopCentral 7.x and 8.0.0 before build 80293 allows remote attackers to execute arbitrary code by uploading a file with a jsp extension, then accessing it via a direct request to the file in the webroot.

Affected

1 ranges
VendorProductVersion rangeFixed in
zohocorpmanageengine_desktop_central7.0.0 – 8.0.0

Detection & IOCsextracted from sources · hover to see the quote

url/agentLogUploader?computerName=DesktopCentral&domainName=webapps&customerId=..&filename=<filename>
url/agentLogUploader?computerName=whatever1&domainName=whatever2&customerId=1337&filename=..\..\..\..\webapps\DesktopCentral\shell.jsp
path/agentLogUploader
path..\webapps\DesktopCentral\
port8020
filenameshell.jsp
  • Detect unauthenticated HTTP POST requests to /agentLogUploader with a filename parameter containing path traversal sequences (e.g., '..' or '..\') and a .jsp extension, indicating attempted JSP webshell upload.
  • Alert on HTTP POST to /agentLogUploader where the customerId parameter is set to '..' (dot-dot), which is the path traversal payload used in the original CVE-2013-7390 exploit to write files outside the intended directory.
  • Monitor for newly created .jsp files under the DesktopCentral webroot (e.g., ..\webapps\DesktopCentral\) followed by an immediate GET request to the same filename, which is the two-stage upload-then-execute pattern used by the Metasploit module.
  • Check the /configurations.do endpoint for the ManageEngine Desktop Central 8 build number; builds below 80293 are vulnerable and should be flagged in asset inventory.
  • Flag HTTP POST requests to /agentLogUploader with Content-Type: text/html, as this is the non-standard content type used by the exploit to deliver the JSP payload body.
  • ·The original CVE-2013-7390 fix (build 80293) was incomplete; the path traversal via customerId=.. was patched but a bypass using a valid computerName, domainName, and customerId with a traversal in the filename parameter remained exploitable (later assigned CVE-2014-5007). Detection rules must cover both traversal vectors.
  • ·The Metasploit module targets Windows only (Platform: win, Arch: ARCH_X86) and achieves code execution as SYSTEM; detections should account for SYSTEM-level child processes spawned from the DesktopCentral web server process.
  • ·The exploit requires no authentication whatsoever; perimeter controls relying on authenticated sessions will not prevent exploitation of this vulnerability.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.