DETECTION OVERVIEW

Zoho ManageEngine Exploit Attempt - CVE-2019-8394

Risk Factors

An attacker with access to a vulnerable ManageEngine ServiceDesk Plus server can upload a malicious executable file. A successful exploit can result in the attacker gaining control of the server and launching additional attacks on network devices, deploying ransomware, or moving laterally across the network.

Kill Chain

Exploitation

Risk Score

Attack Background

The ManageEngine ServiceDesktop Plus is enterprise software that supports IT help desk management. ServiceDesktop Plus contains a vulnerability that allows untrusted data in uploaded files to be processed and run as code on the ManageEngine server. To exploit this vulnerability, the attacker submits an HTTP POST request with a URI for the vulnerable file path (common/FileAttachment.jsp) and the multi-part form parameter, CustomLogin. The malicious file, which is appended to the HTTP request, is automatically uploaded to a folder in the ManageEngine installation directory (.../Manageengine/servicedesk/custom/login). Later, the attacker sends a GET request to run the malicious file, which could contain malware or a web shell.

Mitigation Options

Install relevant patches for affected versions

If unable to patch, check for suspicious files in this ManageEngine installation directory, .../Manageengine/servicedesk/custom/login

Professional Services

Partners

Partner Login

Partner Finder

View All Use Cases

View All Industries

View All Integrations

Attack Background

Mitigation Options

MITRE ATT&CK ID

What else can RevealX do for you?

View our Periodic Table of use cases