cbcvebase.
CVE-2014-5377
published 2014-09-04

CVE-2014-5377: ReadUsersFromMasterServlet in ManageEngine DeviceExpert before 5.9 build 5981 allows remote attackers to obtain user account credentials via a direct request.

PriorityP355medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
57.48%
99.0th percentile
ReadUsersFromMasterServlet in ManageEngine DeviceExpert before 5.9 build 5981 allows remote attackers to obtain user account credentials via a direct request.

Affected

1 ranges
VendorProductVersion rangeFixed in
manageenginedevice_expert<= 5.9

Detection & IOCsextracted from sources · hover to see the quote

url/ReadUsersFromMasterServlet
  • Unauthenticated HTTP GET request to /ReadUsersFromMasterServlet on ManageEngine DeviceExpert exposes user credentials (salted MD5 hashes); no authentication or additional parameters required.
  • Response body from /ReadUsersFromMasterServlet contains concatenated username, role, and salted MD5 password hash fields; monitor for successful responses to this endpoint.
  • Metasploit auxiliary module targets this vulnerability; detect scanner activity against /ReadUsersFromMasterServlet from the metasploit-framework module manageengine_deviceexpert_user_creds.
  • ·Vulnerability affects DeviceExpert up to and including version 5.9 build 5980; versions prior to 5.9 build 5981 are vulnerable. Older versions are also likely affected.
  • ·Passwords returned by the vulnerable endpoint are salted MD5 hashes, not plaintext; downstream cracking activity should be anticipated after credential harvesting.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.