CVE-2020-10189
Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the...
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- March 06, 2020
- Published Date
- March 06, 2020
- Last Updated
- October 21, 2025
- Vendor
- Zoho
- Product
- ManageEngine Desktop Central
- Description
- Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets.
- Tags
- Exploitation
- active
- Automatable
- Yes
- Technical Impact
- total
- Exploited in the Wild
- Yes (2021-11-03 00:00:00 UTC) Source
CVSS Scores
CVSS v3.0
Vector: CVSS:3.0/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:U/UI:N
SSVC Information
Exploit Status
References
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| CISA | 2021-11-03 00:00:00 UTC |
| CISA | 2021-11-03 00:00:00 UTC |
Scanner Integrations
| Scanner | URL | Date Detected |
|---|---|---|
| Metasploit | https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/desktopcentral_deserialization.rb | 2025-04-28 15:02:51 UTC |
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-10189.yaml | 2025-04-25 00:00:00 UTC |
Potential Proof of Concepts
Warning: These PoCs have not been tested and could contain malware. Use at your own risk.
desktopcentral_deserialization
Type: metasploit • Created: Unknown
zavke/CVE-2020-10189-ManageEngine
Type: github • Created: 2020-11-12 02:36:09 UTC • Stars: 2
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Added to KEVIntel
-
Added to KEVIntel
-
Detected by Nuclei
-
Detected by Metasploit