cbcvebase.
CVE-2014-7862
published 2018-01-04

CVE-2014-7862: The DCPluginServelet servlet in ManageEngine Desktop Central and Desktop Central MSP before build 90109 allows remote attackers to create administrator…

PriorityP181critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
81.05%
99.6th percentile
The DCPluginServelet servlet in ManageEngine Desktop Central and Desktop Central MSP before build 90109 allows remote attackers to create administrator accounts via an addPlugInUser action.

Affected

2 ranges
VendorProductVersion rangeFixed in
zohocorpdesktop_central< 9010990109
zohocorpdesktop_central>= 7

Detection & IOCsextracted from sources · hover to see the quote

url/servlets/DCPluginServelet?action=addPlugInUser&role=DCAdmin&userName=dcpwn&[email protected]&phNumber=123456&password=8fR%2bRoOURmY0EXsX%2bCmung%3d=&salt=1401192012599&createdtime=1337
path/servlets/DCPluginServelet
commandaction=addPlugInUser
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ManageEngine Desktop Central Administrator Account Creation"; flow:established,to_server; http.uri; content:"/servlets/DCPluginServelet?"; nocase; content:"action=addPlugInUser"; nocase; content:"role="; nocase; content:"userName="; nocase; content:"email="; nocase; content:"password="; nocase; content:"salt="; nocase; reference:cve,CVE-2014-7862; reference:url,seclists.org/fulldisclosure/2015/Jan/2; classtype:trojan-activity; sid:2020092; rev:3; metadata:created_at 2015_01_05, signature_severity Major, updated_at 2020_05_14;)
  • Detect unauthenticated GET requests to /servlets/DCPluginServelet with the query parameter action=addPlugInUser, which indicates an attempt to create a rogue administrator account. No authentication or prior session is required by the attacker.
  • Look for the combination of URI path /servlets/DCPluginServelet? with parameters role=, userName=, email=, password=, and salt= in a single HTTP request — all are present in the exploit payload.
  • A Metasploit auxiliary module exists for this vulnerability (modules/auxiliary/admin/http/manage_engine_dc_create_admin.rb); presence of this module in use can be correlated with exploit attempts against the DCPluginServelet endpoint.
  • All versions of ManageEngine Desktop Central and Desktop Central MSP from v7 up to (not including) build 90109 are affected. Identify unpatched instances by version/build number in asset inventory.
  • ·The exploit requires no authentication whatsoever — it is a single unauthenticated GET request, making it trivially exploitable from any network with access to the Desktop Central web interface.
  • ·Successful exploitation immediately grants full administrator access to Desktop Central, enabling code execution on ALL managed devices (servers, laptops, desktops, smartphones, tablets).

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.