cbcvebase.
CVE-2015-8249
published 2017-09-28

CVE-2015-8249: The FileUploadServlet class in ManageEngine Desktop Central 9 before build 91093 allows remote attackers to upload and execute arbitrary files via the…

PriorityP183critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
73.60%
99.4th percentile
The FileUploadServlet class in ManageEngine Desktop Central 9 before build 91093 allows remote attackers to upload and execute arbitrary files via the ConnectionId parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
manageenginedesktop_central

Detection & IOCsextracted from sources · hover to see the quote

port8020
port8040
url/configurations.do
path/webapps/DesktopCentral/jspf/
filenamerdslog0.txt
commandconnectionId=<rand>/../../../../../jspf/<rand>.jsp%00
commandaction=rds_file_upload
  • Detect POST requests to the FileUploadServlet endpoint containing a 'connectionId' parameter with null-byte (%00) and path traversal sequences (e.g., '../') targeting the /jspf/ directory.
  • Monitor for unexpected .jsp file creation under the path C:\ManageEngine\DesktopCentral_Server\webapps\DesktopCentral\jspf\ as an indicator of successful exploitation.
  • Check rdslog0.txt for anomalous FileUploadServlet debug entries, which are left behind as forensic artifacts after exploitation.
  • Flag GET requests to /configurations.do on ManageEngine Desktop Central ports as potential pre-exploitation reconnaissance to enumerate the build number.
  • ·Default port varies by ManageEngine Desktop Central version; defenders should ensure detection rules cover both port 8020 (newer default) and port 8040 (older default).
  • ·The exploit payload uses a null-byte (%00) injection in the ConnectionId parameter to truncate the filename extension; WAF/IDS rules must handle URL-encoded null bytes to detect this technique.
  • ·Exploitation results in code execution as SYSTEM; any process spawned from the ManageEngine Desktop Central service after a suspicious upload should be treated as high-severity.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.