CVE-2019-11469
published 2019-04-23CVE-2019-11469: Zoho ManageEngine Applications Manager 12 through 14 allows FaultTemplateOptions.jsp resourceid SQL injection. Subsequently, an unauthenticated user can gain…
PriorityP274critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
18.36%
96.9th percentile
Zoho ManageEngine Applications Manager 12 through 14 allows FaultTemplateOptions.jsp resourceid SQL injection. Subsequently, an unauthenticated user can gain the authority of SYSTEM on the server by uploading a malicious file via the "Execute Program Action(s)" feature.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | manageengine_applications_manager | 12.0 – 14.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →SQL injection is delivered via HTTP POST to FaultTemplateOptions.jsp with the 'resourceid' parameter; monitor for anomalous SQL syntax (CHAR() chains, stacked queries) in that parameter. ↗
- →MSSQL injection payloads use CHAR() concatenation (e.g. CHAR(65)+CHAR(68)+...) to obfuscate string literals; alert on resourceid values containing repeated CHAR() patterns. ↗
- →After SQLi-based admin account creation, the exploit authenticates via j_security_check (POST) and then calls executeScript.do?method=testAction&actionID=<id>&haid=null to trigger the uploaded payload; correlate these sequential requests. ↗
- →Malicious file upload occurs via multipart POST to /Upload.do; the uploaded filename is a random 9-12 character alpha string with extension .bat, .sh, .pl, .py, or .rb — alert on Upload.do receiving script-extension files. ↗
- →The exploit uses showTile.do?TileName=.ExecProg to discover the server-side execution directory and platform; an unauthenticated or newly-authenticated request to this tile is a strong pre-exploitation indicator. ↗
- →The exploit registers a new exec-program action via POST to adminAction.do with method=createExecProgAction and serversite=local; monitor for unexpected createExecProgAction calls from newly created accounts. ↗
- →The exploit targets both MSSQL and PostgreSQL backends by sending two separate SQLi payloads to FaultTemplateOptions.jsp; detection should cover both database syntax variants in the resourceid parameter. ↗
- ·Default exploit port is 8443 with SSL; deployments may use a different port, so detections should not be port-restricted. ↗
- ·The exploit sets WfsDelay to 60 seconds as a countermeasure, meaning payload execution may be significantly delayed after the upload — time-based correlation windows must account for this gap. ↗
- ·Affected versions span Applications Manager 12 through 14; the exploit was tested on both Linux (PostgreSQL) and Windows (MSSQL and PostgreSQL) targets, so detections must be platform-agnostic. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/152607/ManageEngine-Applications-Manager-14.0-SQL-Injection-Command-Injection.htmlhttps://pentest.com.tr/exploits/ManageEngine-App-Manager-14-Auth-Bypass-Remote-Command-Execution.htmlhttps://www.exploit-db.com/exploits/46740https://www.exploit-db.com/exploits/46740/https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2019-11469.htmlhttp://packetstormsecurity.com/files/152607/ManageEngine-Applications-Manager-14.0-SQL-Injection-Command-Injection.htmlhttps://pentest.com.tr/exploits/ManageEngine-App-Manager-14-Auth-Bypass-Remote-Command-Execution.htmlhttps://www.exploit-db.com/exploits/46740https://www.exploit-db.com/exploits/46740/https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2019-11469.html
2019-04-23
Published