www.belgium.be Logo of the federal government

ZOHO Zero-Day Security Vulnerability

Reference: 
Advisory #2020-006
Version: 
1.0
Affected software: 
ManageEngine Desktop Central version 10.0.473 and earlier
Type: 
Remote Code Execution (RCE)
CVE/CVSS: 

Sources

https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html

https://www.bleepingcomputer.com/news/security/zoho-fixes-no-auth-rce-zero-day-in-manageengine-desktop-central/

Risks

A remote attacker can leverage this security flaw to execute arbitrary code on affected installations of Desktop Central. Authentication is not required to exploit this vulnerability.

Description

Zoho has released a security update that impacts ManageEngine Desktop Central build 10.0.473. and below.

The exploitation of CVE-2020-10189 allows threat actors to execute arbitrary code as SYSTEM/root on unpatched ManageEngine Desktop Central (also known as Unified Endpoint Management - UEM). Unpatched Desktop Central Installations could also lead to the deployment of dangerous malware on the network of a company.

Recommended Actions

CERT.be recommends users of ManageEngine Desktop Central build 10.0.473. and below to update to the latest version 10.0.479 or newer, released by Zoho.