cbcvebase.
CVE-2015-7387
published 2015-09-28

CVE-2015-7387: ZOHO ManageEngine EventLog Analyzer 10.6 build 10060 and earlier allows remote attackers to bypass intended restrictions and execute arbitrary SQL commands via…

PriorityP271high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
80.19%
99.6th percentile
ZOHO ManageEngine EventLog Analyzer 10.6 build 10060 and earlier allows remote attackers to bypass intended restrictions and execute arbitrary SQL commands via an allowed query followed by a disallowed one in the query parameter to event/runQuery.do, as demonstrated by "SELECT 1;INSERT INTO." Fixed in Build 11200.

Affected

1 ranges
VendorProductVersion rangeFixed in
zohocorpmanageengine_eventlog_analyzer<= 10.6

Detection & IOCsextracted from sources · hover to see the quote

url/event/runQuery.do
url/event/index3.do
url/event/j_security_check
port8400
commandexecute=true&query=select+version%28%29
commandSELECT lo_create(-1)
commandSELECT lo_unlink(-1)
commandSELECT lo_export(#{loid}, '..//..//webapps//event/#{jsp_name}');
commandSELECT <n>;INSERT INTO/**/pg_largeobject/**/(loid,pageno,data)/**/VALUES(..., DECODE('...', 'base64'));--
path..\webapps\event\<random>.jsp
cookieJSESSIONID
  • Detect SQL injection bypass attempts: monitor POST requests to /event/runQuery.do where the query parameter contains a SELECT statement followed by a semicolon and INSERT/UPDATE/DELETE keywords (e.g., 'SELECT 1;INSERT INTO').
  • Alert on POST requests to /event/runQuery.do from any authenticated session, including the default 'guest' account, as this endpoint is accessible to all users including low-privilege accounts.
  • Detect Postgres large object abuse: watch for SQL queries referencing lo_create, lo_export, lo_unlink, or INSERT INTO pg_largeobject in traffic to /event/runQuery.do, which indicates JSP webshell staging via the database.
  • Detect lo_export path traversal to webapps directory: alert on SQL queries containing lo_export with a path referencing '..//webapps//event/' which writes a JSP payload to the web root.
  • Monitor for new .jsp files appearing under the EventLog Analyzer webapps/event/ directory, which may indicate a dropped webshell from successful exploitation.
  • Detect comment-based SQL keyword obfuscation in the query parameter: patterns like INSERT/**/ or pg_largeobject/**/ using inline comments to evade keyword filters.
  • The exploit authenticates using default credentials (guest/guest); alert on successful logins to /event/j_security_check with username 'guest' followed by POST activity to /event/runQuery.do.
  • ·The vulnerable endpoint /event/runQuery.do is accessible to ALL authenticated users including the default 'guest' account; the SQL query option is intentionally hidden from the UI but the endpoint remains functional.
  • ·The embedded Postgres backend runs as SYSTEM on Windows, meaning any file written via lo_export will have SYSTEM-level privileges, enabling full OS compromise.
  • ·The fix was delivered as a patch (Build 11200) requiring manual file replacement of runQuery_jsp.class and RunQuery.class; versions 10.6 build 10060 and earlier remain vulnerable without this patch.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.