cbcvebase.
CVE-2014-3996
published 2014-12-05

CVE-2014-3996: SQL injection vulnerability in the LinkViewFetchServlet servlet in ManageEngine Desktop Central (DC) and Desktop Central Managed Service Providers (MSP)…

PriorityP267high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
35.55%
98.3th percentile
SQL injection vulnerability in the LinkViewFetchServlet servlet in ManageEngine Desktop Central (DC) and Desktop Central Managed Service Providers (MSP) edition before 9 build 90043, Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition before 7 build 7003, IT360 and IT360 Managed Service Providers (MSP) edition before 10.3.3 build 10330, and possibly other ManageEngine products, allows remote attackers or remote authenticated users to execute arbitrary SQL commands via the sv parameter to LinkViewFetchServlet.dat.

Affected

3 ranges
VendorProductVersion rangeFixed in
manageenginedesktop_central<= 9.0
manageengineit360<= 10.3.3
manageenginepassword_manager_pro<= 7.0

Detection & IOCsextracted from sources · hover to see the quote

url/LinkViewFetchServlet.dat?sv=[SQLi]
url/console/LinkViewFetchServlet.dat?sv=[SQLi]
url/MetadataServlet.dat?sv=[SQLi]
url/console/MetadataServlet.dat?sv=[SQLi]
path/LinkViewFetchServlet.dat
port8020
pathC:\ManageEngine\DesktopCentral_Server\webapps\DesktopCentral\
pathC:\ManageEngine\DesktopCentralMSP_Server\webapps\DesktopCentral\
  • Detect blind SQL injection attempts against ManageEngine LinkViewFetchServlet by monitoring GET requests to /LinkViewFetchServlet.dat with a non-empty 'sv' parameter. The injection is only exploitable via GET requests.
  • Monitor for GET requests to /PassTrixMain.cc returning HTTP 200 with body matching 'ManageEngine Password Manager Pro', which the exploit uses to fingerprint vulnerable PMP targets before exploitation.
  • Monitor for GET requests to /configurations.do returning HTTP 200 with body matching 'ManageEngine Desktop Central', which the exploit uses to fingerprint vulnerable Desktop Central targets before exploitation.
  • Between 10 and 20 rapid sequential GET requests to LinkViewFetchServlet.dat with large sv parameter values (chunked payload delivery) is a strong behavioral indicator of active exploitation.
  • ·CVE-2014-3996 (LinkViewFetchServlet) is unauthenticated for Desktop Central and Password Manager Pro, but requires a valid user account for IT360. Detection rules should account for both authenticated and unauthenticated access patterns.
  • ·MySQL-based targets use relative web root paths (e.g., ../../webapps/PassTrix/) while PostgreSQL-based targets require absolute paths. Detection of file-write activity should cover both relative and absolute path patterns under ManageEngine directories.
  • ·The vulnerability has existed in all ManageEngine Desktop Central, Password Manager Pro, and IT360 releases since 2006. Patched versions are DC v9 build 90043, PMP v7 build 7003, and IT360 v10.3.3 build 10330.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.