CVE-2020-14008
7.2 HIGH
📋 TL;DR
This vulnerability allows an authenticated admin user in Zoho ManageEngine Applications Manager to upload a malicious JAR file to a specific location, leading to remote code execution. It affects versions 14710 and earlier. Attackers with admin credentials can execute arbitrary code on the server.
💻 Affected Systems
Products:
- Zoho ManageEngine Applications Manager
Versions: 14710 and earlier
Operating Systems: Windows, Linux
Default Config Vulnerable:
⚠️ Yes
Notes: Requires authenticated admin access. All default installations of affected versions are vulnerable.
📦 What is this software?
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining complete control over the server, potentially leading to data theft, lateral movement, or deployment of ransomware.
Likely Case
Authenticated attackers upload malicious JAR files to execute arbitrary commands, potentially compromising the ManageEngine server and accessing sensitive monitoring data.
If Mitigated
With proper access controls and monitoring, impact is limited to authorized admin users who would need to be compromised first.
🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH
🎯 Exploit Status
Public PoC:
⚠️ Yes
Weaponized:
CONFIRMED
Unauthenticated Exploit:
✅ No
Complexity:
LOW
Exploit requires admin credentials but is straightforward once authenticated. Public exploit code exists.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 14730 and later
Vendor Advisory: https://www.manageengine.com/products/applications_manager/issues.html#14730
Restart Required: Yes
Instructions:
1. Download and install version 14730 or later from ManageEngine website. 2. Stop the Applications Manager service. 3. Run the installer/upgrade. 4. Restart the service.
🔧 Temporary Workarounds
Restrict Admin Access
allLimit admin user accounts to only trusted personnel and implement multi-factor authentication.
File Upload Restrictions
allImplement web application firewall rules to block JAR file uploads to the vulnerable endpoint.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate ManageEngine servers from critical systems
- Enable detailed logging and monitoring for file upload activities and admin user actions
🔍 How to Verify
Check if Vulnerable:
Check the Applications Manager version in the web interface or installation directory. If version is 14710 or earlier, the system is vulnerable.Check Version:
Check the 'version.txt' file in the ManageEngine Applications Manager installation directory or view version in web interface.Verify Fix Applied:
Verify the version is 14730 or later in the web interface or via the version file in the installation directory.📡 Detection & Monitoring
Log Indicators:
- Unusual JAR file uploads via admin interface
- Admin user performing unexpected file operations
- Execution of suspicious commands from Applications Manager process
Network Indicators:
- HTTP POST requests uploading files to ManageEngine endpoints
- Outbound connections from ManageEngine server to suspicious IPs
SIEM Query:
source="manageengine" AND (event="file_upload" OR event="admin_action") AND file_extension="jar"🔗 References
- http://packetstormsecurity.com/files/159066/ManageEngine-Applications-Manager-Authenticated-Remote-Code-Execution.html
- https://www.manageengine.com
- https://www.manageengine.com/products/applications_manager/issues.html#14730
- http://packetstormsecurity.com/files/159066/ManageEngine-Applications-Manager-Authenticated-Remote-Code-Execution.html
- https://www.manageengine.com
- https://www.manageengine.com/products/applications_manager/issues.html#14730
