CVE-2014-9371
ManageEngine Desktop Central MSP NativeAppServlet UDID JSON Object Code Injection Remote Code Execution Vulnerability
Severity Score
9.8
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
The NativeAppServlet in ManageEngine Desktop Central MSP before 90075 allows remote attackers to execute arbitrary code via a crafted JSON object.
NativeAppServlet en ManageEngine Desktop Central MSP anterior a 90075 permite a atacantes remotos ejecutar código arbitrario a través de un objeto JSON manipulado.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ManageEngine Desktop Central MSP. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the NativeAppServlet servlet. The issue lies in the failure to sanitize JSON data before processing it. An attacker can leverage this vulnerability to execute code under the context of SYSTEM.
*Credits:
Andrea Micalizzi (rgod)
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2014-12-11 CVE Reserved
- 2014-12-11 CVE Published
- 2024-08-06 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
CAPEC
References (1)
| URL | Tag | Source |
|---|---|---|
| http://www.zerodayinitiative.com/advisories/ZDI-14-420 | X_refsource_misc |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Zohocorp Search vendor "Zohocorp" | Manageengine Desktop Central Search vendor "Zohocorp" for product "Manageengine Desktop Central" | <= 9.0 Search vendor "Zohocorp" for product "Manageengine Desktop Central" and version " <= 9.0" | managed_service_providers |
Affected
| ||||||