cbcvebase.
CVE-2017-11346
published 2017-07-17

CVE-2017-11346: Zoho ManageEngine Desktop Central before build 100092 allows remote attackers to execute arbitrary code via vectors involving the upload of help desk videos.

PriorityP278critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
43.27%
98.6th percentile
Zoho ManageEngine Desktop Central before build 100092 allows remote attackers to execute arbitrary code via vectors involving the upload of help desk videos.

Affected

1 ranges
VendorProductVersion rangeFixed in
zohocorpmanageengine_desktop_central<= 10.0

Detection & IOCsextracted from sources · hover to see the quote

url/fileupload
port8020
path\..\..\..\..\jspf\<random>.jsp
path../webapps/DesktopCentral/jspf/
url/configurations.do
url/jspf/<random>.jsp
  • Detect unauthenticated POST requests to the FileUploadServlet endpoint with query parameter 'action=HelpDesk_video' and a 'fileName' parameter containing path traversal sequences (e.g., '\..\') targeting the /jspf/ directory.
  • Alert on POST requests with Content-Type 'application/octet-stream' to the ManageEngine Desktop Central file upload endpoint (default port 8020) where the fileName parameter contains backslash path traversal sequences.
  • Monitor for new .jsp files appearing under the DesktopCentral/jspf/ web-accessible directory, which would indicate a successful path-traversal upload leading to RCE.
  • The exploit drops and executes a JSP stager running as SYSTEM; detect child processes spawned by the Java/Tomcat process (e.g., cmd.exe, powershell.exe) on the Desktop Central server.
  • The FileUploadServlet class skips the hasVulnerabilityInFileName check for the user-controlled fileName parameter; inspect application logs for fileName values containing '..' or backslash sequences.
  • ·The exploit targets the default port 8020; installations may be configured on a different port, requiring hunters to adjust port-based detections accordingly.
  • ·The vulnerability affects Desktop Central builds prior to 100092; build 100087 was confirmed exploitable. Verify the build number via the /configurations.do endpoint before triaging alerts.
  • ·The exploit is Windows-specific (SYSTEM context); Linux deployments of Desktop Central are not targeted by this particular exploit module.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.