cbcvebase.
CVE-2014-7866
published 2014-12-10

CVE-2014-7866: Multiple directory traversal vulnerabilities in ZOHO ManageEngine OpManager 8 (build 88xx) through 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allow…

PriorityP271high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
79.76%
99.6th percentile
Multiple directory traversal vulnerabilities in ZOHO ManageEngine OpManager 8 (build 88xx) through 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allow remote attackers or remote authenticated users to write and execute arbitrary files via a .. (dot dot) in the (1) fileName parameter to the MigrateLEEData servlet or (2) zipFileName parameter in a downloadFileFromProbe operation to the MigrateCentralData servlet.

Affected

16 ranges
VendorProductVersion rangeFixed in
zohocorpmanageengine_it360
zohocorpmanageengine_it360
zohocorpmanageengine_opmanager
zohocorpmanageengine_opmanager
zohocorpmanageengine_opmanager
zohocorpmanageengine_opmanager
zohocorpmanageengine_opmanager
zohocorpmanageengine_opmanager
zohocorpmanageengine_opmanager
zohocorpmanageengine_opmanager
zohocorpmanageengine_opmanager
zohocorpmanageengine_opmanager
zohocorpmanageengine_opmanager
zohocorpmanageengine_opmanager
zohocorpmanageengine_opmanager
zohocorpmanageengine_social_it_plus

Detection & IOCsextracted from sources · hover to see the quote

url/servlet/MigrateLEEData?fileName=../tomcat/webapps/warfile.war%00
url/servlet/MigrateCentralData?operation=downloadFileFromProbe&zipFileName=../tomcat/webapps/warfile.war%00
path/servlet/MigrateLEEData
path/servlet/MigrateCentralData
  • Detect directory traversal attempts targeting the MigrateLEEData servlet via the 'fileName' parameter containing '../' sequences, especially with a null byte (%00) to bypass extension checks.
  • Detect directory traversal attempts targeting the MigrateCentralData servlet via the 'zipFileName' parameter in a 'downloadFileFromProbe' operation, containing '../' sequences and null byte (%00).
  • Alert on POST requests to /servlet/MigrateLEEData or /servlet/MigrateCentralData containing dot-dot sequences ('..') in query string parameters, indicative of path traversal exploitation.
  • Monitor for WAR file uploads (files ending in .war) being written to Tomcat webapps directories via traversal paths, which would indicate successful remote code execution staging.
  • This vulnerability is unauthenticated on OpManager and Social IT Plus, so no session/auth token is required — alert on traversal payloads from unauthenticated sessions to these endpoints.
  • ·The null byte (%00) in the fileName/zipFileName parameter is used to truncate the filename and bypass server-side extension validation — detection rules must account for URL-encoded null bytes in these parameters.
  • ·Affected version range is imprecisely known; at minimum OpManager v8 build 88XX through 11.4, IT360 10.3/10.4, and Social IT 11.0 are confirmed vulnerable.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.