CVE-2020-10189
Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the...
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- March 06, 2020
- Published Date
- March 06, 2020
- Last Updated
- February 04, 2025
- Vendor
- n/a
- Product
- n/a
- Description
- Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets.
CVSS Scores
CVSS v3.0
9.8 - CRITICAL
Vector: CVSS:3.0/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:U/UI:N
SSVC Information
- Exploitation
- active
- Automatable
- Yes
- Technical Impact
- total
References
https://srcincite.io/advisories/src-2020-0011/
https://www.zdnet.com/article/zoho-zero-day-published-on-twitter/
https://srcincite.io/pocs/src-2020-0011.py.txt
https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html
http://packetstormsecurity.com/files/156730/ManageEngine-Desktop-Central-Java-Deserialization.html
https://cwe.mitre.org/data/definitions/502.html
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| CISA | 2021-11-03 00:00:00 UTC |
Scanner Integrations
| Scanner | URL | Date Detected |
|---|---|---|
| Metasploit | https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/desktopcentral_deserialization.rb | 2025-04-29 11:01:37 UTC |
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-10189.yaml | 2025-04-26 00:00:00 UTC |
Potential Proof of Concepts
Warning: These PoCs have not been tested and could contain malware. Use at your own risk.
desktopcentral_deserialization
Type: metasploit • Created: Unknown
Metasploit module for CVE-2020-10189
zavke/CVE-2020-10189-ManageEngine
Type: github • Created: 2020-11-12 02:36:09 UTC • Stars: 2