Skip to content
Threat Feed
critical advisory

ManageEngine Applications Manager Authenticated RCE via File Upload (CVE-2020-14008)

CVE-2020-14008 is an unrestricted file upload vulnerability in Zoho ManageEngine Applications Manager that allows an authenticated attacker to upload a malicious JAR file containing a reverse shell to achieve remote code execution.

An authenticated remote code execution vulnerability exists in Zoho ManageEngine Applications Manager due to an unrestricted file upload (CVE-2020-14008). Successful exploitation allows attackers to execute arbitrary code on the system. The exploit involves authenticating to the application, identifying the installation directory, crafting a malicious Java class within a JAR file, uploading the JAR to a specific directory via directory traversal, and then triggering the execution of the uploaded code through the Weblogic credential test. Default credentials of “admin:admin”, “admin:password”, “administrator:administrator”, and “guest:guest” may be leveraged to gain unauthorized access. This vulnerability affects multiple versions of ManageEngine Applications Manager.

Attack Chain

  1. Authenticate to ManageEngine Applications Manager using valid credentials (e.g., default credentials) to obtain a session cookie.
  2. Enumerate the ManageEngine base installation directory.
  3. Create a malicious Java class (e.g., weblogic.jndi.Environment) containing a reverse shell.
  4. Compile the Java class into a JAR file (e.g., weblogic.jar) using javac and jar.
  5. Upload the malicious JAR file to the classes/weblogic/version8/ directory using directory traversal techniques. As a fallback, create a scheduled task to move the file.
  6. Trigger the Weblogic credential test at the /testCredential.do endpoint.
  7. The application loads and instantiates the malicious Java class.
  8. The reverse shell within the JAR connects back to the attacker’s listener, granting remote code execution.

Impact

Successful exploitation allows the attacker to execute arbitrary code on the affected system, potentially leading to complete system compromise, data theft, and disruption of services. Organizations using ManageEngine Applications Manager are at risk. The exploitation could lead to lateral movement within the network and further compromise of sensitive data.

Recommendation

  • Apply the security updates provided by ManageEngine to patch CVE-2020-14008 as detailed in the ManageEngine Advisory.
  • Deploy the Sigma rule for detecting JAR file uploads to the webserver log and tune for your environment.
  • Monitor process creation events for Java processes executing from the classes/weblogic/version8/ directory, using the provided Sigma rule.
  • Enforce strong password policies and regularly audit user accounts to prevent the use of default credentials, as mentioned in the overview.

Detection coverage 2

Detects CVE-2020-14008 Exploitation — Malicious JAR Upload

high

Detects CVE-2020-14008 exploitation — Suspicious JAR file upload to ManageEngine Applications Manager webserver

sigma tactics: initial_access, persistence techniques: T1190 sources: webserver

Detects CVE-2020-14008 Exploitation — Java Process in weblogic directory

high

Detects CVE-2020-14008 exploitation — Java process execution from the weblogic directory

sigma tactics: execution techniques: T1505.003 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →