CVE-2017-11346
published 2017-07-17CVE-2017-11346: Zoho ManageEngine Desktop Central before build 100092 allows remote attackers to execute arbitrary code via vectors involving the upload of help desk videos.
PriorityP278critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
43.27%
98.6th percentile
Zoho ManageEngine Desktop Central before build 100092 allows remote attackers to execute arbitrary code via vectors involving the upload of help desk videos.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | manageengine_desktop_central | <= 10.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated POST requests to the FileUploadServlet endpoint with query parameter 'action=HelpDesk_video' and a 'fileName' parameter containing path traversal sequences (e.g., '\..\') targeting the /jspf/ directory. ↗
- →Alert on POST requests with Content-Type 'application/octet-stream' to the ManageEngine Desktop Central file upload endpoint (default port 8020) where the fileName parameter contains backslash path traversal sequences. ↗
- →Monitor for new .jsp files appearing under the DesktopCentral/jspf/ web-accessible directory, which would indicate a successful path-traversal upload leading to RCE. ↗
- →The exploit drops and executes a JSP stager running as SYSTEM; detect child processes spawned by the Java/Tomcat process (e.g., cmd.exe, powershell.exe) on the Desktop Central server. ↗
- →The FileUploadServlet class skips the hasVulnerabilityInFileName check for the user-controlled fileName parameter; inspect application logs for fileName values containing '..' or backslash sequences. ↗
- ·The exploit targets the default port 8020; installations may be configured on a different port, requiring hunters to adjust port-based detections accordingly. ↗
- ·The vulnerability affects Desktop Central builds prior to 100092; build 100087 was confirmed exploitable. Verify the build number via the /configurations.do endpoint before triaging alerts. ↗
- ·The exploit is Windows-specific (SYSTEM context); Linux deployments of Desktop Central are not targeted by this particular exploit module. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2017-07-17
Published