cbcvebase.
CVE-2019-11469
published 2019-04-23

CVE-2019-11469: Zoho ManageEngine Applications Manager 12 through 14 allows FaultTemplateOptions.jsp resourceid SQL injection. Subsequently, an unauthenticated user can gain…

PriorityP274critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
18.36%
96.9th percentile
Zoho ManageEngine Applications Manager 12 through 14 allows FaultTemplateOptions.jsp resourceid SQL injection. Subsequently, an unauthenticated user can gain the authority of SYSTEM on the server by uploading a malicious file via the "Execute Program Action(s)" feature.

Affected

1 ranges
VendorProductVersion rangeFixed in
zohocorpmanageengine_applications_manager12.0 – 14.0

Detection & IOCsextracted from sources · hover to see the quote

url/jsp/FaultTemplateOptions.jsp
port8443
  • SQL injection is delivered via HTTP POST to FaultTemplateOptions.jsp with the 'resourceid' parameter; monitor for anomalous SQL syntax (CHAR() chains, stacked queries) in that parameter.
  • MSSQL injection payloads use CHAR() concatenation (e.g. CHAR(65)+CHAR(68)+...) to obfuscate string literals; alert on resourceid values containing repeated CHAR() patterns.
  • After SQLi-based admin account creation, the exploit authenticates via j_security_check (POST) and then calls executeScript.do?method=testAction&actionID=<id>&haid=null to trigger the uploaded payload; correlate these sequential requests.
  • Malicious file upload occurs via multipart POST to /Upload.do; the uploaded filename is a random 9-12 character alpha string with extension .bat, .sh, .pl, .py, or .rb — alert on Upload.do receiving script-extension files.
  • The exploit uses showTile.do?TileName=.ExecProg to discover the server-side execution directory and platform; an unauthenticated or newly-authenticated request to this tile is a strong pre-exploitation indicator.
  • The exploit registers a new exec-program action via POST to adminAction.do with method=createExecProgAction and serversite=local; monitor for unexpected createExecProgAction calls from newly created accounts.
  • The exploit targets both MSSQL and PostgreSQL backends by sending two separate SQLi payloads to FaultTemplateOptions.jsp; detection should cover both database syntax variants in the resourceid parameter.
  • ·Default exploit port is 8443 with SSL; deployments may use a different port, so detections should not be port-restricted.
  • ·The exploit sets WfsDelay to 60 seconds as a countermeasure, meaning payload execution may be significantly delayed after the upload — time-based correlation windows must account for this gap.
  • ·Affected versions span Applications Manager 12 through 14; the exploit was tested on both Linux (PostgreSQL) and Windows (MSSQL and PostgreSQL) targets, so detections must be platform-agnostic.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.