CVE-2020-10189
Published: 06 March 2020
Summary
CVE-2020-10189 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Zohocorp Manageengine Desktop Central. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
Zoho ManageEngine Desktop Central versions before 10.0.474 contain a remote code execution vulnerability stemming from unsafe deserialization of untrusted data. The flaw resides in the getChartImage method of the FileStorage class and is exposed through the CewolfServlet and MDMLogUploaderServlet servlets, corresponding to CWE-502.
An unauthenticated attacker with network access can supply a crafted serialized object to trigger arbitrary code execution on the server, achieving full control over the affected system as indicated by the CVSS 9.8 score with no required privileges or user interaction.
The vendor advisory from ManageEngine addresses the issue in version 10.0.474, while public exploit code and a detailed technical write-up are available that demonstrate the deserialization attack path.
A functional proof-of-concept has been published, confirming that the vulnerability is exploitable in practice against unpatched installations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-2650
Vulnerability details
Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks the CVE by requiring validation of untrusted serialized data supplied to getChartImage via CewolfServlet/MDMLogUploaderServlet before any deserialization occurs.
Enforces authentication and authorization on the exposed servlets so that unauthenticated network attackers cannot reach the vulnerable deserialization path at all.
Malicious-code protection mechanisms can inspect or sandbox the deserialized payload to stop arbitrary code execution resulting from the CWE-502 flaw.