CVE-2020-10189

critical-risk
Published 2020-03-06

Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets.

Do I need to act?

!
94.2% chance of exploitation in next 30 days
EPSS score — higher than 6% of all CVEs
!
CISA KEV: actively exploited in the wild
On the Known Exploited Vulnerabilities catalog — federal agencies must patch
!
1 public exploit available
48224
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Zohocorp

References (13)

Exploit http://packetstormsecurity.com/files/156730/ManageEngine-Desktop-Central-Java-De...
Third Party Advisory https://cwe.mitre.org/data/definitions/502.html
Exploit https://srcincite.io/advisories/src-2020-0011/
Exploit https://srcincite.io/pocs/src-2020-0011.py.txt
Vendor Advisory https://www.manageengine.com/products/desktop-central/remote-code-execution-vuln...
Third Party Advisory https://www.zdnet.com/article/zoho-zero-day-published-on-twitter/
Exploit http://packetstormsecurity.com/files/156730/ManageEngine-Desktop-Central-Java-De...
Third Party Advisory https://cwe.mitre.org/data/definitions/502.html
Exploit https://srcincite.io/advisories/src-2020-0011/
Exploit https://srcincite.io/pocs/src-2020-0011.py.txt
Vendor Advisory https://www.manageengine.com/products/desktop-central/remote-code-execution-vuln...
Third Party Advisory https://www.zdnet.com/article/zoho-zero-day-published-on-twitter/
US Government Resource https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-...
71
/ 100
critical-risk
Severity 32/34 · Critical
Exploitability 34/34 · Critical
Exposure 5/34 · Minimal