Zoho ManageEngine Desktop Central remote code execution vulnerability (CVE-2020-10189)

CVE number – CVE-2020-10189

This document explains the unauthenticated remote code execution vulnerability in Desktop Central which was reported by Steven Seeley of Source Incite. The short-term fix for the arbitrary file upload vulnerability was released in build 10.0.474 on January 20,2020. In continuation of that, the complete fix for the remote code execution vulnerability is now available in build 10.0.479.

Note: This vulnerability will not impact Secure Gateway Server. Customers using builds that include the short-term fix are not vulnerable to this exploit. 

What was the problem?

This vulnerability could allow remote attackers to execute arbitrary code on affected installations of Desktop Central. Authentication is not required to exploit this vulnerability.

How do I fix it?

Please update to the latest version 10.0.479 released on March 7, 2020.

The patch and the steps to install it can be found in this page: https://www.manageengine.com/products/desktop-central/service-packs.html.

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: