CVE-2020-10189

Description

Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets.

From the Tenable Blog

CVE-2020-10189: Deserialization Vulnerability in Zoho ManageEngine Desktop Central 10 Patched (SRC-2020-0011)

Published: 2020-03-07

Zoho releases a patch for a critical remote code execution flaw in ManageEngine one day after the vulnerability was publicly disclosed. Update 03/09/2020: Updated the Analysis section to include information on reports of active exploitation of this vulnerability.

References

https://www.tenable.com/blog/cve-2022-47523-manageengine-password-manager-pro-pam360-and-access-manager-plus-sql-injection

https://www.tenable.com/blog/government-agencies-warn-of-state-sponsored-actors-exploiting-publicly-known-vulnerabilities

https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF

https://www.tenable.com/blog/cve-2020-10189-deserialization-vulnerability-in-zoho-manageengine-desktop-central-10-patched

https://www.mandiant.com/resources/blog/apt41-initiates-global-intrusion-campaign-using-multiple-exploits

https://www.zdnet.com/article/zoho-zero-day-published-on-twitter/

https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html

https://srcincite.io/pocs/src-2020-0011.py.txt

https://srcincite.io/advisories/src-2020-0011/

https://cwe.mitre.org/data/definitions/502.html

http://packetstormsecurity.com/files/156730/ManageEngine-Desktop-Central-Java-Deserialization.html

Details

Source: Mitre, NVD

Risk Information

CVSS v2

CVSS v3