cbcvebase.
CVE-2014-5007
published 2020-01-17

CVE-2014-5007: Directory traversal vulnerability in the agentLogUploader servlet in ZOHO ManageEngine Desktop Central (DC) and Desktop Central Managed Service Providers (MSP)…

PriorityP275critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
37.33%
98.3th percentile
Directory traversal vulnerability in the agentLogUploader servlet in ZOHO ManageEngine Desktop Central (DC) and Desktop Central Managed Service Providers (MSP) edition before 9 build 90055 allows remote attackers to write to and execute arbitrary files as SYSTEM via a .. (dot dot) in the filename parameter.

Affected

2 ranges
VendorProductVersion rangeFixed in
zohocorpmanageengine_desktop_central7.0 – 9.0
zohocorpmanageengine_desktop_central_managed_service_providers7.0 – 9.0

Detection & IOCsextracted from sources · hover to see the quote

url/agentLogUploader?computerName=whatever1&domainName=whatever2&customerId=1337&filename=..\\..\\..\\..\\webapps\\DesktopCentral\\shell.jsp
path/agentLogUploader
path..\..\..\..\webapps\DesktopCentral\shell.jsp
filenameshell.jsp
port8020
urlagentLogUploader?computerName=DesktopCentral&domainName=webapps&customerId=..&filename=#{filename}
  • Detect unauthenticated POST requests to the agentLogUploader servlet containing directory traversal sequences (e.g., '..' or '..\') in the 'filename' parameter, particularly targeting paths under webapps\DesktopCentral\.
  • Monitor for POST requests to /agentLogUploader with a 'filename' parameter containing backslash-based traversal sequences (e.g., '..\\..\\') — no authentication is required to exploit this endpoint.
  • Alert on JSP files written to the DesktopCentral web root (webapps\DesktopCentral\) by the Desktop Central service process, as this indicates successful exploitation and webshell deployment.
  • Check for subsequent GET requests to randomly-named .jsp files in the DesktopCentral web root immediately after a POST to agentLogUploader — this is the two-stage upload-then-execute pattern used by the Metasploit module.
  • Inspect the 'customerId' parameter in agentLogUploader requests for traversal values such as '..' which were used in the original CVE-2013-7390 exploit vector.
  • ·The fix for the original CVE-2013-7390 (patch 80293) was incomplete; CVE-2014-5007 demonstrates that traversal is still possible with a valid computerName, domainName, and customerId, so patching to DC v9 build 90055 or later is required.
  • ·All Desktop Central versions from v7 through v9 build 90054 are affected; the fix is to upgrade to DC v9 build 90055.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.