{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/cpes/cpe2.3azohocorpmanageengine_applications_manager14.0build14072/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:zohocorp:manageengine_applications_manager:*:*:*:*:*:*:*:*","cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:-:*:*:*:*:*:*","cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14000:*:*:*:*:*:*","cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14010:*:*:*:*:*:*","cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14020:*:*:*:*:*:*","cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14030:*:*:*:*:*:*","cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14040:*:*:*:*:*:*","cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14050:*:*:*:*:*:*","cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14060:*:*:*:*:*:*","cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14070:*:*:*:*:*:*","cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14071:*:*:*:*:*:*","cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14072:*:*:*:*:*:*","cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14073:*:*:*:*:*:*","cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14080:*:*:*:*:*:*","cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14090:*:*:*:*:*:*","cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14100:*:*:*:*:*:*","cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14110:*:*:*:*:*:*","cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14120:*:*:*:*:*:*","cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14130:*:*:*:*:*:*","cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14140:*:*:*:*:*:*"],"_cs_cves":[{"cvss":7.2,"id":"CVE-2020-14008"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["ManageEngine Applications Manager"],"_cs_severities":["critical"],"_cs_tags":["rce","file upload","manageengine"],"_cs_type":"advisory","_cs_vendors":["Zoho"],"content_html":"\u003cp\u003eAn authenticated remote code execution vulnerability exists in Zoho ManageEngine Applications Manager due to an unrestricted file upload (CVE-2020-14008). Successful exploitation allows attackers to execute arbitrary code on the system. The exploit involves authenticating to the application, identifying the installation directory, crafting a malicious Java class within a JAR file, uploading the JAR to a specific directory via directory traversal, and then triggering the execution of the uploaded code through the Weblogic credential test. Default credentials of \u0026ldquo;admin:admin\u0026rdquo;, \u0026ldquo;admin:password\u0026rdquo;, \u0026ldquo;administrator:administrator\u0026rdquo;, and \u0026ldquo;guest:guest\u0026rdquo; may be leveraged to gain unauthorized access. This vulnerability affects multiple versions of ManageEngine Applications Manager.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAuthenticate to ManageEngine Applications Manager using valid credentials (e.g., default credentials) to obtain a session cookie.\u003c/li\u003e\n\u003cli\u003eEnumerate the ManageEngine base installation directory.\u003c/li\u003e\n\u003cli\u003eCreate a malicious Java class (e.g., \u003ccode\u003eweblogic.jndi.Environment\u003c/code\u003e) containing a reverse shell.\u003c/li\u003e\n\u003cli\u003eCompile the Java class into a JAR file (e.g., \u003ccode\u003eweblogic.jar\u003c/code\u003e) using \u003ccode\u003ejavac\u003c/code\u003e and \u003ccode\u003ejar\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eUpload the malicious JAR file to the \u003ccode\u003eclasses/weblogic/version8/\u003c/code\u003e directory using directory traversal techniques. As a fallback, create a scheduled task to move the file.\u003c/li\u003e\n\u003cli\u003eTrigger the Weblogic credential test at the \u003ccode\u003e/testCredential.do\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe application loads and instantiates the malicious Java class.\u003c/li\u003e\n\u003cli\u003eThe reverse shell within the JAR connects back to the attacker\u0026rsquo;s listener, granting remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows the attacker to execute arbitrary code on the affected system, potentially leading to complete system compromise, data theft, and disruption of services. Organizations using ManageEngine Applications Manager are at risk. The exploitation could lead to lateral movement within the network and further compromise of sensitive data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security updates provided by ManageEngine to patch CVE-2020-14008 as detailed in the ManageEngine Advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule for detecting JAR file uploads to the webserver log and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for Java processes executing from the \u003ccode\u003eclasses/weblogic/version8/\u003c/code\u003e directory, using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eEnforce strong password policies and regularly audit user accounts to prevent the use of default credentials, as mentioned in the overview.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-manageengine-rce/","summary":"CVE-2020-14008 is an unrestricted file upload vulnerability in Zoho ManageEngine Applications Manager that allows an authenticated attacker to upload a malicious JAR file containing a reverse shell to achieve remote code execution.","title":"ManageEngine Applications Manager Authenticated RCE via File Upload (CVE-2020-14008)","url":"https://feed.craftedsignal.io/briefs/2024-01-manageengine-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14072:*:*:*:*:*:*","version":"https://jsonfeed.org/version/1.1"}