cbcvebase.
CVE-2019-8394
published 2019-02-17

CVE-2019-8394: Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization.

PriorityP182medium6.5CVSS 3.1
AVNACLPRLUINSUCNIHAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
64.05%
99.1th percentile
Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization.

Affected

2 ranges
VendorProductVersion rangeFixed in
zohocorpmanageengine_servicedesk_plus< 10.0.010.0.0
zohocorpmanageengine_servicedesk_plus

Detection & IOCsextracted from sources · hover to see the quote

url/common/FileAttachment.jsp?module=CustomLogin&view=Dashboard1
path/custom/login/
path/common/FileAttachment.jsp
  • Detect unauthenticated or low-privilege POST requests to /common/FileAttachment.jsp with the query parameter module=CustomLogin, which bypasses file extension validation and allows arbitrary file upload.
  • Alert on HTTP requests to /custom/login/<filename> following a POST to FileAttachment.jsp, which may indicate a webshell was uploaded and is being accessed.
  • Inspect multipart/form-data POST bodies to FileAttachment.jsp for filenames with executable extensions (e.g., .jsp), particularly when the 'module' form field is set to 'CustomLogin'.
  • The FileUploader servlet accepts unauthenticated file uploads; monitor for POST requests to this servlet from unauthenticated sessions on ManageEngine ServiceDesk Plus instances.
  • Flag multipart form-data uploads containing the form field name 'sspsetup' with value 'Attach' combined with module=CustomLogin, as this matches the known exploit request structure.
  • ·The bypass only works when the 'module' parameter is set to 'CustomLogin'; other module values ('SSP', 'DashBoard', 'HomePage') do enforce extension checking. Detection rules should specifically target the CustomLogin module value.
  • ·MSP (Managed Service Provider) versions of ManageEngine ServiceDesk Plus do NOT expose the vulnerable FileUploader servlet, so detections targeting that servlet should be scoped to non-MSP deployments.
  • ·The exploit requires at minimum a guest-level authenticated session (not fully unauthenticated via FileAttachment.jsp), so session cookie presence alone does not rule out exploitation.

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:N
vulncheck6.5MEDIUM
cisa6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.