cbcvebase.
CVE-2014-6037
published 2014-10-26

CVE-2014-6037: Directory traversal vulnerability in the agentUpload servlet in ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 allows remote attackers…

PriorityP277high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
84.18%
99.7th percentile
Directory traversal vulnerability in the agentUpload servlet in ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 allows remote attackers to execute arbitrary code by uploading a ZIP file which contains an executable file with .. (dot dot) sequences in its name, then accessing the executable via a direct request to the file under the web root. Fixed in Build 11072.

Affected

2 ranges
VendorProductVersion rangeFixed in
zohocorpmanageengine_eventlog_analyzer
zohocorpmanageengine_eventlog_analyzer

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://172.16.37.131:8400/agentUpload
urlhttp://172.16.37.131:8400/cmdshell.jsp
path/agentUpload
path/event/runQuery.do
path../../webapps/event/
path../../server/default/deploy/
port8400
pathwebapps/event/WEB-INF/web.xml
filenamecmdshell.jsp
urlhttp://xxx.xxx.xxx.xxx:8400/event/runQuery.do
  • Detect unauthenticated HTTP POST multipart/form-data requests to the /agentUpload or /event/agentUpload servlet endpoint, especially from external/untrusted sources.
  • Inspect ZIP file contents uploaded to agentUpload for path traversal sequences (e.g., '../../') in embedded filenames, which indicate exploitation attempts.
  • Alert on HTTP GET requests to /event/agentUpload or /agentUpload returning HTTP 405 (Method Not Allowed), which the Metasploit module uses as a vulnerability check indicator.
  • Monitor for newly created .jsp files under the webapps/event/ web root directory, which may indicate successful exploitation via path-traversal zip upload.
  • Monitor for newly created .ear files under the JBoss server/default/deploy/ directory, indicating exploitation of older v7.0–v8.0 targets via EAR deployment.
  • Detect HTTP GET requests to /event/index3.do probing for ManageEngine EventLog Analyzer version strings, used by the Metasploit module during reconnaissance.
  • Alert on low-privileged or guest account access to /event/runQuery.do, which exposes the database browser to unauthorized users.
  • Detect multipart/form-data POST uploads containing a ZIP file (application/zip content-type) to the agentUpload endpoint on port 8400.
  • ·The agentUpload servlet can be disabled as a workaround by commenting out its servlet mapping in web.xml if agents are not in use.
  • ·Versions 7.0–8.0 are exploited via EAR deployment in JBoss, while versions 8.1+ are exploited via JSP upload; detection logic should account for both attack paths.
  • ·The vulnerability was fixed in Build 11072; instances running builds prior to 11072 remain vulnerable.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.