cbcvebase.
CVE-2014-7864
published 2015-02-04

CVE-2014-7864: Multiple SQL injection vulnerabilities in the FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine OpManager 8 through 11.5 build 11400 and…

PriorityP262high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
22.67%
97.4th percentile
Multiple SQL injection vulnerabilities in the FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine OpManager 8 through 11.5 build 11400 and IT360 10.5 and earlier allow remote attackers and remote authenticated users to execute arbitrary SQL commands via the (1) customerName or (2) serverRole parameter in a standbyUpdateInCentral operation to servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet.

Affected

14 ranges
VendorProductVersion rangeFixed in
zohocorpmanageengine_opmanager
zohocorpmanageengine_opmanager
zohocorpmanageengine_opmanager
zohocorpmanageengine_opmanager
zohocorpmanageengine_opmanager
zohocorpmanageengine_opmanager
zohocorpmanageengine_opmanager
zohocorpmanageengine_opmanager
zohocorpmanageengine_opmanager
zohocorpmanageengine_opmanager
zohocorpmanageengine_opmanager
zohocorpmanageengine_opmanager
zohocorpmanageengine_opmanager
zohocorpmanageengine_opmanager

Detection & IOCsextracted from sources · hover to see the quote

url/servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet?operation=standbyUpdateInCentral&customerName=[SQLi_1]&serverRole=[SQLi_2]
url/servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet?operation=standbyUpdateInCentral&customerName=a')%3b+create+table+bacas+(bodas+text)%3b--+&serverRole=a
path/servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet
  • Monitor HTTP POST requests to the FailOverHelperServlet path targeting the 'standbyUpdateInCentral' operation with suspicious values in the 'customerName' or 'serverRole' parameters, particularly those containing SQL metacharacters such as quotes, semicolons, or SQL keywords.
  • The SQL injection is blind; look for anomalous time delays or repeated requests to the standbyUpdateInCentral operation endpoint as indicators of blind SQLi probing.
  • In OpManager deployments, exploitation of this endpoint requires NO authentication; flag any unauthenticated POST to the FailOverHelperServlet standbyUpdateInCentral operation as high-severity.
  • ·The SQL injection is exploitable unauthenticated in OpManager but requires authentication in IT360; tune detection rules accordingly based on the deployed product.
  • ·IT360 remained unpatched at the time of disclosure; environments running IT360 v10.5 or earlier should be treated as persistently vulnerable.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.