CVE-2014-7862 : The DCPluginServelet servlet in ManageEngine Desktop Central and Desktop Central

The DCPluginServelet servlet in ManageEngine Desktop Central and Desktop Central MSP before build 90109 allows remote attackers to create administrator accounts via an addPlugInUser action.

Published 2018-01-04 17:29:00

Updated 2018-10-09 19:53:32

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2014-7862

Zohocorp » Desktop Central
Versions from including (>=) 7
cpe:2.3:a:zohocorp:desktop_central:*:*:*:*:*:*:*:*
Matching versions
Zohocorp » Desktop Central » Managed Service Providers Edition
Versions before (<) 90109
cpe:2.3:a:zohocorp:desktop_central:*:*:*:*:managed_service_providers:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2014-7862

EPSS FAQ

81.86%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 99 %

Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2014-7862

ManageEngine Desktop Central Administrator Account Creation

Disclosure Date: 2014-12-31

First seen: 2020-04-26

auxiliary/admin/http/manage_engine_dc_create_admin

This module exploits an administrator account creation vulnerability in Desktop Central from v7 onwards by sending a crafted request to DCPluginServelet. It has been tested in several versions of Desktop Central (including MSP) from v7 onwards. Authors: - Pe

More information

CVSS scores for CVE-2014-7862

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
9.8	CRITICAL	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2014-7862

CWE-264

Assigned by: nvd@nist.gov (Primary)

References for CVE-2014-7862

https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_dc9_admin.txt

PoC/me_dc9_admin.txt at master · pedrib/PoC · GitHub
Third Party Advisory
http://www.securityfocus.com/bid/71849

ManageEngine Desktop Central CVE-2014-7862 Remote Security Bypass Vulnerability
Third Party Advisory;VDB Entry
http://www.securityfocus.com/archive/1/534356/100/0/threaded

SecurityFocus
https://exchange.xforce.ibmcloud.com/vulnerabilities/99595

ManageEngine Desktop Central security bypass CVE-2014-7862 Vulnerability Report
Issue Tracking;Third Party Advisory;VDB Entry
https://www.rapid7.com/db/modules/auxiliary/admin/http/manage_engine_dc_create_admin

ManageEngine Desktop Central Administrator Account Creation
Exploit;Third Party Advisory
https://www.manageengine.com/products/desktop-central/cve20147862-unauthorized-account-creation.html

Security Updates on Vulnerabilities - CVE-2014-7862- Unauthorized Administrator Account Creation - Desktop Central Knowledge Base
Third Party Advisory
http://seclists.org/fulldisclosure/2015/Jan/2

Full Disclosure: [The ManageOwnage Series, part X]: 0-day administrator account creation in Desktop Central
Issue Tracking;Mailing List;Third Party Advisory
http://packetstormsecurity.com/files/129769/Desktop-Central-Add-Administrator.html

Desktop Central Add Administrator ≈ Packet Storm
Issue Tracking;Third Party Advisory;VDB Entry

Jump to