cbcvebase.
CVE-2014-6039
published 2020-01-13

CVE-2014-6039: ManageEngine EventLog Analyzer version 7 through 9.9 build 9002 has a Credentials Disclosure Vulnerability. Fixed version 10 Build 10000.

PriorityP270high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
68.78%
99.3th percentile
ManageEngine EventLog Analyzer version 7 through 9.9 build 9002 has a Credentials Disclosure Vulnerability. Fixed version 10 Build 10000.

Affected

1 ranges
VendorProductVersion rangeFixed in
zohocorpmanageengine_eventlog_analyzer7.0 – 9.9

Detection & IOCsextracted from sources · hover to see the quote

url/hostdetails?slid=X&hostid=Y
url/hostdetails?slid=1&hostid=1
url/agentHandler?mode=getTableData&table=HostDetails
url/agentHandler?mode=getTableData&table=AaaUser
url/agentHandler?mode=getTableData&table=AaaPassword
url/agentHandler?mode=getTableData&table=AaaPasswordHint
url/agentHandler?mode=getTableData&table=[tableName]
  • Detect unauthenticated GET requests to the /hostdetails servlet with slid= and hostid= parameters — the core CVE-2014-6039 exploitation path for credential disclosure.
  • Detect unauthenticated GET requests to /agentHandler with mode=getTableData — used in the companion CVE-2014-6038 to enumerate host IDs needed for CVE-2014-6039 exploitation.
  • On EventLog Analyzer v7 deployments, exploitation paths are prefixed with /event/ — monitor for /event/hostdetails and /event/agentHandler request patterns as well.
  • No authentication or session token is required to exploit either vulnerability; flag any unauthenticated source accessing these servlets.
  • Returned credentials from /hostdetails are XOR-encoded with 0x30 and base64-encoded; inspect response bodies for base64 blobs that decode to XOR-0x30 obfuscated strings as a post-exploitation indicator.
  • ·The /hostdetails servlet is only exploitable after obtaining valid hostid and slid values, which are retrieved via the companion CVE-2014-6038 agentHandler abuse — both requests will appear in sequence during a full attack chain.
  • ·Affected versions are v7 through v9.9 build 9002; the fix was introduced in version 10 Build 10000. Ensure patched instances are confirmed at build 10000 or later.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.