Skip to the main content.
Government Programs
Integrated technology, solutions, and services that support rapid innovation within the DoD ecosystem.

CMMC Preparation & Assessment
Cybersecurity Assurance Readiness (CSAR®/RMF Pro)
ATO/RMF Support

Book GP Demo

Professional Services
Expertise in security strategy, incident response readiness, policy development, and risk assessments.

Risk Assessments
vCISO
Penetration Testing

Book ProServ Demo

Digital Forensics & Incident Response
Are You Under Attack?

If you are concerned about a potential threat or are experiencing a breach, contact our 24/7/365 emergency hotline at 888-860-0452.

CONTACT US

Subscribe-to-NetSec-News-v4Subscribe to NetSec News

Sign up to receive our biweekly newsletter that covers what's happening in cybersecurity including news, trends, and thought leadership.

SIGN UP

Ingalls Information Security

At our core, Ingalls is a company that strives to be helpful to our clients while continuously innovating and evolving our technology and solutions. Since 2010, we have been dedicated to building a team and product that can stay steps ahead of threats, attacks, and vulnerabilities in an ever-changing landscape.

Meet The Leadership Team

3 min read

Zoho ManageEngine Desktop Central RCE 0-Day Vulnerability

Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets.

This vulnerability is a zero-day vulnerability with a public proof of concept and is actively being exploited in the wild. This vulnerability allows attackers to remotely execute arbitrary code with SYSTEM privileges on compromised ManageEngine Desktop Central instances.

Affected Software / System

ManageEngine Desktop Central

CVE (if applicable)

CVE-2020-10189

Type

Remote Code Execution

Exploit Status: Exploited but not Public

The following table provides an exploitability assessment for this vulnerability at the time of original publication.

Publicly Disclosed

Yes

Exploited

Yes

Latest Software Release

1 - Exploitation More Likely

Older Software Release

1 - Exploitation More Likely

Denial of Service

N/A

 

Rating

9.8 - Critical

Impact

An attacker could gain SYSTEM root level code execution on affected ManageEngine Desktop Central instances without authentication. If the vulnerable instance is exposed on the Internet (there are currently over 2300 exposed ManageEngine systems on the Internet) this could provide attackers with an entry point to the network. Even if the instance is not exposed on the Internet, a compromised device on the same network as a vulnerable Desktop Central instance could be used to exploit the vulnerable Desktop Central instance. At that point, the vulnerability could be used to deploy malware laterally to other computers on the network. Similar tactics have been seen with victim Managed Service Providers (MSP) remote monitoring and management (RMM) tools to deploy ransomware to all of the MSP’s clients.

Mitigation

  • Zoho has released Desktop Central version 10.0.479 which patches this vulnerability.


Ingalls recommends the following actions:

  • To determine if your Desktop Central instance has been compromised, Zoho provides the following guidance:
    • If there is any file with these names (txt, logger.zip, mdmlogs.zip, managedprofile_mdmlogs.zip) under the folder \ManageEngine\DesktopCentral_Server\webapps\DesktopCentral\_chart, then your installation has been compromised.
    • If there is a presence of the file in this path “C:\Users\Public\install.bat”, then your system has been compromised. (Ingalls recommends checking under other users as well).
  • If any of these files (logger.txt, logger.zip, mdmlogs.zip, managedprofile_mdmlogs.zip) is present under the folder \ManageEngine\DesktopCentral_Server\webapps\DesktopCentral\_chart, follow the below-mentioned steps to apply the fix:
  • If you spot “C:\Users\Public\install.bat” (or other users), follow the below-mentioned steps for mitigation:
Vulnerability in Windows Domain Name System (DNS)

Vulnerability in Windows Domain Name System (DNS)

On July 14, 2020, Microsoft released a security update for the issue described in CVE-2020-1350 | Windows DNS Server Remote Code Execution...

Read More
Vulnerability Found in Microsoft Exchange Server

Vulnerability Found in Microsoft Exchange Server

A remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time. ...

Read More
Log4Shell - Log4j Vulnerability (CVE-2021-44228)

Log4Shell - Log4j Vulnerability (CVE-2021-44228)

Apache Log4j2 <=2.14.1 JNDI features used in the configuration, log messages, and parameters do not protect against attacker-controlled LDAP and...

Read More