CVE-2020-8838

low-risk
Published 2020-03-23

An issue was discovered in Zoho ManageEngine AssetExplorer 6.5. During an upgrade of the Windows agent, it does not validate the source and binary downloaded. This allows an attacker on an adjacent network to execute code with NT AUTHORITY/SYSTEM privileges on the agent machines by providing an arbitrary executable via a man-in-the-middle attack.

Do I need to act?

-
0.33% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.4/10 Medium
ADJACENT_NETWORK / HIGH complexity

Affected Products (1)

Affected Vendors

Zohocorp

References (6)

Exploit http://packetstormsecurity.com/files/157612/ManageEngine-Asset-Explorer-Windows-...
Exploit http://seclists.org/fulldisclosure/2020/May/29
Release Notes https://www.manageengine.com/products/asset-explorer/sp-readme.html
Exploit http://packetstormsecurity.com/files/157612/ManageEngine-Asset-Explorer-Windows-...
Exploit http://seclists.org/fulldisclosure/2020/May/29
Release Notes https://www.manageengine.com/products/asset-explorer/sp-readme.html
23
/ 100
low-risk
Severity 17/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal