CVE-2020-24397

moderate-risk
Published 2020-10-02

An issue was discovered in the client side of Zoho ManageEngine Desktop Central 10.0.0.SP-534. An attacker-controlled server can trigger an integer overflow in InternetSendRequestEx and InternetSendRequestByBitrate that leads to a heap-based buffer overflow and Remote Code Execution with SYSTEM privileges.

Do I need to act?

!
17.2% chance of exploitation in next 30 days
EPSS score — higher than 83% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.2/10 High
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Zohocorp

References (4)

Product https://www.manageengine.com/products/desktop-central/
Vendor Advisory https://www.manageengine.com/products/desktop-central/integer-overflow-vulnerabi...
Product https://www.manageengine.com/products/desktop-central/
Vendor Advisory https://www.manageengine.com/products/desktop-central/integer-overflow-vulnerabi...
44
/ 100
moderate-risk
Severity 26/34 · High
Exploitability 13/34 · Low
Exposure 5/34 · Minimal