CVE-2014-5007 – This vulnerability allows remote attackers to w... (How to Fix)

Q: What is the severity of CVE-2014-5007?

CVE-2014-5007 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to write and execute arbitrary files with SYSTEM privileges in ZOHO ManageEngine Desktop Central. Attackers exploit a directory traversal flaw in the agentLogUploader servlet using '..' sequences in filename parameters. Affects Desktop Central and Desktop Central MSP editions before version 9 build 90055.

📋 TL;DR

This vulnerability allows remote attackers to write and execute arbitrary files with SYSTEM privileges in ZOHO ManageEngine Desktop Central. Attackers exploit a directory traversal flaw in the agentLogUploader servlet using '..' sequences in filename parameters. Affects Desktop Central and Desktop Central MSP editions before version 9 build 90055.

💻 Affected Systems

Products:

ZOHO ManageEngine Desktop Central
ZOHO ManageEngine Desktop Central MSP

Versions: All versions before 9 build 90055

Operating Systems: Windows (primary deployment platform)

Default Config Vulnerable: ⚠️ Yes

Notes: The agentLogUploader servlet is typically enabled by default in affected versions.

📦 What is this software?

Manageengine Desktop Central by Zohocorp

View all CVEs affecting Manageengine Desktop Central →

Manageengine Desktop Central Managed Service Providers by Zohocorp

View all CVEs affecting Manageengine Desktop Central Managed Service Providers →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, allowing attackers to install malware, steal credentials, pivot to other systems, and maintain persistent access.

🟠

Likely Case

Remote code execution leading to data theft, ransomware deployment, or lateral movement within the network.

🟢

If Mitigated

Limited impact with proper network segmentation, but still significant if exploited due to SYSTEM privileges.

🌐 Internet-Facing: HIGH - Directly exploitable over the internet without authentication.

🏢 Internal Only: HIGH - Even internally, this provides SYSTEM-level access to critical systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward with publicly available proof-of-concept code. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9 build 90055 or later

Vendor Advisory: https://www.manageengine.com/products/desktop-central/remote-code-execution.html

Restart Required: Yes

Instructions:

1. Download Desktop Central version 9 build 90055 or later from ManageEngine website
2. Backup current installation and configuration
3. Run the installer to upgrade
4. Restart the Desktop Central service

🔧 Temporary Workarounds

Disable agentLogUploader servlet

all

Temporarily disable the vulnerable servlet to block exploitation

Modify web.xml configuration to remove or comment out agentLogUploader servlet mapping

Network access control

all

Restrict access to Desktop Central web interface

Configure firewall rules to limit access to trusted IP addresses only

🧯 If You Can't Patch

Immediately isolate affected systems from internet and restrict internal network access
Implement strict network segmentation and monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check Desktop Central version in web interface or installation directory. Versions before 9 build 90055 are vulnerable.

Check Version:

Check Help > About in Desktop Central web interface or examine build number in installation directory

Verify Fix Applied:

Verify version is 9 build 90055 or later and test that agentLogUploader servlet no longer accepts directory traversal sequences.

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /agentLogUploader with '..' sequences in parameters
Unusual file creation in system directories
SYSTEM privilege escalation events

Network Indicators:

HTTP POST requests to /agentLogUploader with suspicious filename parameters
Unexpected outbound connections from Desktop Central server

SIEM Query:

source="desktop-central" AND (uri_path="/agentLogUploader" AND (filename="*..*" OR parameter="*..*"))

📊 Metadata

CVE ID: CVE-2014-5007

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: January 17, 2020

Last Updated: November 21, 2024

🔗 References

http://seclists.org/fulldisclosure/2014/Aug/88 Exploit,Mailing List,Third Party Advisory
https://www.manageengine.com/products/desktop-central/remote-code-execution.html Vendor Advisory
http://seclists.org/fulldisclosure/2014/Aug/88 Exploit,Mailing List,Third Party Advisory
https://www.manageengine.com/products/desktop-central/remote-code-execution.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2014-5007, you might also want to check these: