cbcvebase.
CVE-2014-7863
published 2020-02-08

CVE-2014-7863: The FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine Applications Manager before 11.9 build 11912, OpManager 8 through 11.5 build 11400…

PriorityP274high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
83.40%
99.6th percentile
The FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine Applications Manager before 11.9 build 11912, OpManager 8 through 11.5 build 11400, and IT360 10.5 and earlier does not properly restrict access, which allows remote attackers and remote authenticated users to (1) read arbitrary files via the fileName parameter in a copyfile operation or (2) obtain sensitive information via a directory listing in a listdirectory operation to servlet/FailOverHelperServlet.

Affected

3 ranges
VendorProductVersion rangeFixed in
zohocorpmanageengine_applications_manager<= 11.9
zohocorpmanageengine_it360<= 10.5
zohocorpmanageengine_opmanager8 – 11.5

Detection & IOCsextracted from sources · hover to see the quote

url/servlet/FailOverHelperServlet?operation=copyfile&fileName=C:\\boot.ini
url/servlet/FailOverHelperServlet?operation=listdirectory&rootDirectory=C:\\
path/servlet/FailOverHelperServlet
  • Monitor HTTP POST requests to /servlet/FailOverHelperServlet with 'operation=copyfile' and a 'fileName' parameter — this indicates attempted arbitrary file download exploitation.
  • Monitor HTTP POST requests to /servlet/FailOverHelperServlet with 'operation=listdirectory' and a 'rootDirectory' parameter — this indicates attempted directory listing exploitation.
  • The vulnerability is unauthenticated on OpManager and Applications Manager — alert on any unauthenticated POST to the FailOverHelperServlet endpoint.
  • For IT360 targets, exploitation typically occurs on port 8300 (the OpManager instance port). Monitor for FailOverHelperServlet requests on this port.
  • Metasploit modules attempt login with default credentials for administrator and guest accounts before exploiting — alert on authentication attempts with default credentials followed by FailOverHelperServlet requests.
  • The exploit makes recursive directory listings — extremely large or deep directory listing responses from FailOverHelperServlet may indicate active exploitation.
  • ·IT360 requires authentication to exploit, whereas OpManager and Applications Manager are fully unauthenticated — tune detection rules accordingly per product.
  • ·IT360 remains unpatched as of the disclosure date — do not rely on vendor patches for IT360 deployments.
  • ·The fix for Applications Manager is version 11.9 build 11912; for OpManager a patch exists for v11.4/11.5 and the fix is included in v11.6 — versions outside these ranges remain vulnerable.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.