Vulnerability Details CVE-2020-10189
Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.942
EPSS Ranking 99.9%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 10.0
Proposed Action
Zoho ManageEngine Desktop Central contains a file upload vulnerability that allows for unauthenticated remote code execution.
Ransomware Campaign
Unknown
References
- http://packetstormsecurity.com/files/156730/ManageEngine-Desktop-Central-Java-Deserialization.html
- https://cwe.mitre.org/data/definitions/502.html
- https://srcincite.io/advisories/src-2020-0011/
- https://srcincite.io/pocs/src-2020-0011.py.txt
- https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html
- https://www.zdnet.com/article/zoho-zero-day-published-on-twitter/
- http://packetstormsecurity.com/files/156730/ManageEngine-Desktop-Central-Java-Deserialization.html
- https://cwe.mitre.org/data/definitions/502.html
- https://srcincite.io/advisories/src-2020-0011/
- https://srcincite.io/pocs/src-2020-0011.py.txt
- https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html
- https://www.zdnet.com/article/zoho-zero-day-published-on-twitter/
Products affected by CVE-2020-10189
-
cpe:2.3:a:zohocorp:manageengine_desktop_central:-
-
cpe:2.3:a:zohocorp:manageengine_desktop_central:10
-
cpe:2.3:a:zohocorp:manageengine_desktop_central:10.0
-
cpe:2.3:a:zohocorp:manageengine_desktop_central:10.0.0
-
cpe:2.3:a:zohocorp:manageengine_desktop_central:10.0.124
-
cpe:2.3:a:zohocorp:manageengine_desktop_central:10.0.137
-
cpe:2.3:a:zohocorp:manageengine_desktop_central:10.0.184
-
cpe:2.3:a:zohocorp:manageengine_desktop_central:10.0.255
-
cpe:2.3:a:zohocorp:manageengine_desktop_central:10.0.271
-
cpe:2.3:a:zohocorp:manageengine_desktop_central:10.0.289
-
cpe:2.3:a:zohocorp:manageengine_desktop_central:10.0.290
-
cpe:2.3:a:zohocorp:manageengine_desktop_central:10.0.380
-
cpe:2.3:a:zohocorp:manageengine_desktop_central:10.0.430
-
cpe:2.3:a:zohocorp:manageengine_desktop_central:7.0
-
cpe:2.3:a:zohocorp:manageengine_desktop_central:7.0.0
-
cpe:2.3:a:zohocorp:manageengine_desktop_central:7.0.1
-
cpe:2.3:a:zohocorp:manageengine_desktop_central:8.0.0
-
cpe:2.3:a:zohocorp:manageengine_desktop_central:9.0
-
cpe:2.3:a:zohocorp:manageengine_desktop_central:9.1.0