Zoho releases a patch for a critical remote code execution flaw in ManageEngine one day after the vulnerability was publicly disclosed. Update 03/09/2020: Updated the Analysis section to include information on reports of active exploitation of this vulnerability.

CVE-2020-10189: Deserialization Vulnerability in Zoho ManageEngine Desktop Central 10 Patched (SRC-2020-0011)

Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets.

The ManageEngine Desktop Central application running on the remote host is version 10 prior to build 100479.
It is, therefore, affected by a remote code execution vulnerability.

The ManageEngine Desktop Central application running on the remote host is version 10 prior to build 100479. It is, therefore, affected by a remote code execution vulnerability.

ID	Name	Product	Family	Severity
135293	ManageEngine Desktop Central 10 < Build 100479 Remote Code Execution (direct check)	Nessus	CGI abuses	critical
134677	ManageEngine Desktop Central 10 < Build 100479 Remote Code Execution	Nessus	CGI abuses	critical

Detections

Analytics

CVE-2020-10189

critical

Tenable Plugins

critical

critical