cbcvebase.
CVE-2014-5445
published 2014-12-04

CVE-2014-5445: Multiple absolute path traversal vulnerabilities in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allow remote attackers or remote…

PriorityP354medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
98.17%
99.9th percentile
Multiple absolute path traversal vulnerabilities in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allow remote attackers or remote authenticated users to read arbitrary files via a full pathname in the schFilePath parameter to the (1) CSVServlet or (2) CReportPDFServlet servlet.

Affected

2 ranges
VendorProductVersion rangeFixed in
zohocorpmanageengine_it360
zohocorpmanageengine_netflow_analyzer8.6 – 10.2

Detection & IOCsextracted from sources · hover to see the quote

url/netflow/servlet/CSVServlet?schFilePath=/etc/passwd
url/netflow/servlet/CReportPDFServlet?schFilePath=C:\\boot.ini&pdf=true
path/netflow/servlet/CSVServlet
path/netflow/servlet/CReportPDFServlet
  • Monitor HTTP GET requests to /netflow/servlet/CSVServlet or /netflow/servlet/CReportPDFServlet containing a 'schFilePath' parameter with an absolute path (e.g. starting with '/' or a Windows drive letter like 'C:\') — this is the exploitation pattern for CVE-2014-5445.
  • The vulnerability is unauthenticated in NetFlow Analyzer, so any unauthenticated request to the affected servlets with a schFilePath parameter should be treated as highly suspicious.
  • A Metasploit auxiliary module (auxiliary/admin/http/netflow_file_download) exists for this vulnerability; look for its characteristic HTTP request patterns against the CSVServlet endpoint.
  • When targeting Windows hosts, attackers must escape backslashes in the path parameter (e.g. C:\\boot.ini); detect double-backslash sequences in the schFilePath query parameter value.
  • ·Affected versions are NetFlow Analyzer 8.6 through 10.2 and IT360 10.3; version 10.2 was confirmed still vulnerable after a supposed fix release.
  • ·No official patch was available at time of disclosure (105 days after initial report); verify patch status before assuming remediation.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.