cbcvebase.
CVE-2019-11448
published 2019-04-22

CVE-2019-11448: An issue was discovered in Zoho ManageEngine Applications Manager 11.0 through 14.0. An unauthenticated user can gain the authority of SYSTEM on the server due…

PriorityP271critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
12.43%
95.7th percentile
An issue was discovered in Zoho ManageEngine Applications Manager 11.0 through 14.0. An unauthenticated user can gain the authority of SYSTEM on the server due to a Popup_SLA.jsp sid SQL injection vulnerability. For example, the attacker can subsequently write arbitrary text to a .vbs file.

Affected

1 ranges
VendorProductVersion rangeFixed in
zohocorpmanageengine_applications_manager11.0 – 14.0

Detection & IOCsextracted from sources · hover to see the quote

url/jsp/Popup_SLA.jsp
port8443
cookieJSESSIONID
commandsid=1;copy+(select+username,password+from+AM_UserPasswordTable)+to+$$
pathAppManager14
  • Monitor HTTP POST requests to /jsp/Popup_SLA.jsp containing SQL metacharacters in the 'sid' parameter (e.g., semicolons, SQL keywords like COPY/SELECT), indicative of PostgreSQL stacked-query injection exploitation.
  • Alert on unauthenticated POST requests to /jsp/Popup_SLA.jsp on port 8443 (SSL) from external sources — the exploit requires no prior authentication.
  • Detect creation of unexpected .vbs files in ManageEngine AppManager installation directories (e.g., AppManager11–14 subdirectories), as the exploit writes a VBS-wrapped reverse shell payload to disk for execution by the application.
  • Look for the VBS payload signature string 'WbemScripting.SWbemLocator' and 'MSXML2.DOMDocument' appearing in newly written .vbs files under ManageEngine directories, indicating a malicious exe-to-vbs converted payload.
  • The exploit exfiltrates credentials by reading the AM_UserPasswordTable via SQL injection and serving the output as a .txt file; monitor for GET requests to randomly named .txt files on the ManageEngine web root shortly after POST exploitation attempts.
  • ·The exploit uses a 500-second WfsDelay because the ManageEngine application must itself execute the dropped .vbs file; detection based on immediate post-exploitation activity may miss the shell session due to this significant delay.
  • ·The SQL injection leverages PostgreSQL's COPY ... TO syntax to write files to disk; this technique is PostgreSQL-specific and will not function if ManageEngine is configured with a different backend database.
  • ·The check method uses a non-strict equality check (= instead of ==) when evaluating the HTTP response code, meaning the vulnerability check result ('Appears') may be unreliable and produce false positives.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.