CVE-2019-8394
published 2019-02-17CVE-2019-8394: Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization.
PriorityP182medium6.5CVSS 3.1
AVNACLPRLUINSUCNIHAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
64.05%
99.1th percentile
Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | manageengine_servicedesk_plus | < 10.0.0 | 10.0.0 |
| zohocorp | manageengine_servicedesk_plus | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated or low-privilege POST requests to /common/FileAttachment.jsp with the query parameter module=CustomLogin, which bypasses file extension validation and allows arbitrary file upload. ↗
- →Alert on HTTP requests to /custom/login/<filename> following a POST to FileAttachment.jsp, which may indicate a webshell was uploaded and is being accessed. ↗
- →Inspect multipart/form-data POST bodies to FileAttachment.jsp for filenames with executable extensions (e.g., .jsp), particularly when the 'module' form field is set to 'CustomLogin'. ↗
- →The FileUploader servlet accepts unauthenticated file uploads; monitor for POST requests to this servlet from unauthenticated sessions on ManageEngine ServiceDesk Plus instances. ↗
- →Flag multipart form-data uploads containing the form field name 'sspsetup' with value 'Attach' combined with module=CustomLogin, as this matches the known exploit request structure. ↗
- ·The bypass only works when the 'module' parameter is set to 'CustomLogin'; other module values ('SSP', 'DashBoard', 'HomePage') do enforce extension checking. Detection rules should specifically target the CustomLogin module value. ↗
- ·MSP (Managed Service Provider) versions of ManageEngine ServiceDesk Plus do NOT expose the vulnerable FileUploader servlet, so detections targeting that servlet should be scoped to non-MSP deployments. ↗
- ·The exploit requires at minimum a guest-level authenticated session (not fully unauthenticated via FileAttachment.jsp), so session cookie presence alone does not rule out exploitation. ↗
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:N
vulncheck6.5MEDIUM
cisa6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-grv7-685f-m26h: Zoho ManageEngine ServiceDesk Plus (SDP) before 10
ghsa_unreviewed·2022-05-14
CVE-2019-8394 [MEDIUM] CWE-434 GHSA-grv7-685f-m26h: Zoho ManageEngine ServiceDesk Plus (SDP) before 10
Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization.
VulnCheck
Zoho ManageEngine ServiceDesk Plus (SDP) File Upload Vulnerability
vulncheck·2019·CVSS 6.5
CVE-2019-8394 [MEDIUM] CWE-434 Zoho ManageEngine ServiceDesk Plus (SDP) File Upload Vulnerability
Zoho ManageEngine ServiceDesk Plus (SDP) File Upload Vulnerability
Zoho ManageEngine ServiceDesk Plus (SDP) contains an unspecified vulnerability that allows remote users to upload files via login page customization.
Affected: Zoho ManageEngine
Required Action: Apply updates per vendor instructions.
Exploitation References: https://socprime.com/blog/zoho-manageengine-servicedesk-plus-vulnerability-detection-and-mitigation/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-05-03
CISA
Zoho ManageEngine ServiceDesk Plus (SDP) File Upload Vulnerability
cisa·2021-11-03·CVSS 6.5
CVE-2019-8394 [MEDIUM] CWE-434 Zoho ManageEngine ServiceDesk Plus (SDP) File Upload Vulnerability
Vulnerability: Zoho ManageEngine ServiceDesk Plus (SDP) File Upload Vulnerability
Affected: Zoho ManageEngine
Zoho ManageEngine ServiceDesk Plus (SDP) contains an unspecified vulnerability that allows remote users to upload files via login page customization.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-8394
Remediation Due Date: 2022-05-03
No detection rules found.
Exploit-DB
Zoho ManageEngine ServiceDesk Plus (SDP) < 10.0 build 10012 - Arbitrary File Upload
exploitdb·2019-02-18·CVSS 6.5
CVE-2019-8394 [MEDIUM] Zoho ManageEngine ServiceDesk Plus (SDP) < 10.0 build 10012 - Arbitrary File Upload
Zoho ManageEngine ServiceDesk Plus (SDP) < 10.0 build 10012 - Arbitrary File Upload
---
# Exploit Title: Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 - arbitrary file upload
# Date: 18-02-2019
# Exploit Author: Dao Duy Hung ([email protected])
# Vendor Homepage: https://www.manageengine.com/products/service-desk/
# Software Link: https://www.manageengine.com/products/service-desk/download.html?opDownload_indexbnr
# Version: 9.4 and 10.0 before 10.0 build 10012
# Tested on: SDP 10.0 build 10000
# CVE : CVE-2019-8394
Detail:
In file common/FileAttachment.jsp line 332 only check file upload extension when parameter 'module' equal to 'SSP' or 'DashBoard' or 'HomePage', and if parameter 'module' is set to 'CustomLogin' will skip check file upload extension function an
Metasploit
ManageEngine ServiceDesk Plus Arbitrary File Upload
metasploit
ManageEngine ServiceDesk Plus Arbitrary File Upload
ManageEngine ServiceDesk Plus Arbitrary File Upload
This module exploits a file upload vulnerability in ManageEngine ServiceDesk Plus. The vulnerability exists in the FileUploader servlet which accepts unauthenticated file uploads. This module has been tested successfully on versions v9 b9000 - b9102 in Windows and Linux. The MSP versions do not expose the vulnerable servlet.
Tenable
CVE-2022-47523: ManageEngine Password Manager Pro, PAM360 and Access Manager Plus SQL Injection Vulnerability
blogs_tenable·2023-01-05·CVSS 9.8
[CRITICAL] CVE-2022-47523: ManageEngine Password Manager Pro, PAM360 and Access Manager Plus SQL Injection Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Unit42
Threat Brief: FireEye Red Team Tool Breach
blogs_unit42·2020-12-11
Threat Brief: FireEye Red Team Tool Breach
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: FireEye Red Team Tool Breach
Unit 42
Published: December 10, 2020
High Profile Threats
Malware
Vulnerabilities
FireEye breach
## Executive Summary
On Dec. 8, 2020, one of the leading cybersecurity companies in the industry, FireEye, reported a breach and data exfiltration unlike any that we have seen previously. What makes this attack unique is not only the target, FireEye being a well-known cybersecurity company, but that the stolen data contains the internal, custom-crafted red-team and penetration testing tools used by the company to imitate different threat actors during customer security consultations. FireEye’s blog provided a wealth of information for defenders to implement security controls
Unit42
Threat Brief: FireEye Red Team Tool Breach
blogs_unit42·2020-12-11
Threat Brief: FireEye Red Team Tool Breach
## Executive Summary
On Dec. 8, 2020, one of the leading cybersecurity companies in the industry, FireEye, reported a breach and data exfiltration unlike any that we have seen previously. What makes this attack unique is not only the target, FireEye being a well-known cybersecurity company, but that the stolen data contains the internal, custom-crafted red-team and penetration testing tools used by the company to imitate different threat actors during customer security consultations. FireEye’s blog provided a wealth of information for defenders to implement security controls and mitigations for defense against the stolen tools. This data is being used by Palo Alto Networks to help ensure our customers are protected if the attackers choose to utilize the tools for malicious purposes.
It i
Fortinet
FireEye Red Team Tool Breach | Fortinet
blogs_fortinet·2020-12-11·CVSS 8.8
[HIGH] FireEye Red Team Tool Breach | Fortinet
PSIRT BLOGS
FireEye Red Team Tool Breach
By Carl Windsor | December 11, 2020
Executive Summary
On December 8th cyber security vendor FireEye reported a breach of their network and data exfiltration which included their internally developed Red Team tools. FireEye took the step of publishing details of these tools in a GitHub repository to allow other vendors to protect against their use by potential adversaries.
This breach has been attributed to a nation state threat actor so we do not expect to see these tools be widely abused in the wild, however with the additional information provided by FireEye, Fortinet have been able to ensure that these tools cannot be abused.
Threat Mitigation
None of the vulnerabilities disclosed as targeted in the tools were zero days, therefore FortiGuard
Qualys
Solorigate/Sunburst : Theft of Cybersecurity Tools | FireEye Breach
blogs_qualys·2020-12-10
Solorigate/Sunburst : Theft of Cybersecurity Tools | FireEye Breach
Update Jan 5, 2021 : New patching section with two new dashboard widgets showing the number of missing FireEye-related patches in your environment and the number of assets in your environment missing one of those patches.
Update Dec 23, 2020 : Added a new section on compensating controls.
Update Dec 22, 2020: FireEye disclosed the theft of their Red Team assessment tools. Hackers now have an influential collection of new techniques to draw upon.
Using Qualys VMDR, the vulnerabilities for Solorigate/SUNBURST can be prioritized for the following Real-Time Threat Indicators (RTIs):
Active Attacks
Solorigate Sunburst ( New RTI )
Original post : On December 8, 2020, FireEye disclosed theft of their Red Team assessment tools. These tools are used by FireEye to test and validate the securit
Qualys
Solorigate/Sunburst : Theft of Cybersecurity Tools | FireEye Breach | Qualys
blogs_qualys·2020-12-10
Solorigate/Sunburst : Theft of Cybersecurity Tools | FireEye Breach | Qualys
Update Jan 5, 2021: New patching section with two new dashboard widgets showing the number of missing FireEye-related patches in your environment and the number of assets in your environment missing one of those patches.
Update Dec 23, 2020: Added a new section on compensating controls.
Update Dec 22, 2020: FireEye disclosed the theft of their Red Team assessment tools. Hackers now have an influential collection of new techniques to draw upon.
Using Qualys VMDR, the vulnerabilities for Solorigate/SUNBURST can be prioritized for the following Real-Time Threat Indicators (RTIs):
- Active Attacks
- Solorigate Sunburst (New RTI)
Original post: On December 8, 2020, FireEye disclosed theft of their Red Team assessment tools. These tools are used by FireEye to test and validate the security
Zscaler
SolarWinds CyberAttack and FireEye Red Team Tools Coverage
blogs_zscaler·2020-12-09
SolarWinds CyberAttack and FireEye Red Team Tools Coverage
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
arXiv
Technical Report -- Expected Exploitability: Predicting the Development of Functional Vulnerability Exploits
arxiv_fulltext·2022-02-03
Technical Report -- Expected Exploitability: Predicting the Development of Functional Vulnerability Exploits
Octavian Suciu,
Connor Nelson ,
Zhuoer Lyu ,
Tiffany Bao ,
Tudor Dumitras
University of Maryland, College Park
State University
comment
\@IEEEpubidpullup6.5
Network and Distributed Systems Security (NDSS) Symposium 2020
23-26 February 2020, San Diego, CA, USA
ISBN 1-891562-61-4
https://dx.doi.org/10.14722/ndss.2020.23xxx
www.ndss-symposium.org
[ ]
comment
empty
## Abstract
Assessing the exploitability of software vulnerabilities at the time of disclosure is difficult and error-prone, as features extracted via technical analysis by existing metrics are poor predictors for exploit development.
Moreover, exploitability assessments suffer from a class bias because ``not exploitable'' labels could be inaccurate.
To overcome these challenges, we propose a new metric, called Expecte
http://www.securityfocus.com/bid/107129https://www.exploit-db.com/exploits/46413/https://www.manageengine.com/products/service-desk/readme.htmlhttp://www.securityfocus.com/bid/107129https://www.exploit-db.com/exploits/46413/https://www.manageengine.com/products/service-desk/readme.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-8394
2019-02-17
Published
2021-11-03
Added to CISA KEV
Exploited in the wild