Zoho ManageEngine Desktop Central RCE 0-Day Vulnerability

Zoho ManageEngine Desktop Central RCE 0-Day Vulnerability

Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets.

This vulnerability is a zero-day vulnerability with a public proof of concept and is actively being exploited in the wild. This vulnerability allows attackers to remotely execute arbitrary code with SYSTEM privileges on compromised ManageEngine Desktop Central instances.

Affected Software / System

ManageEngine Desktop Central

CVE (if applicable)



Remote Code Execution

Exploit Status: Exploited but not Public

The following table provides an exploitability assessment for this vulnerability at the time of original publication.

Publicly Disclosed




Latest Software Release

1 - Exploitation More Likely

Older Software Release

1 - Exploitation More Likely

Denial of Service




9.8 - Critical


An attacker could gain SYSTEM root level code execution on affected ManageEngine Desktop Central instances without authentication. If the vulnerable instance is exposed on the Internet (there are currently over 2300 exposed ManageEngine systems on the Internet) this could provide attackers with an entry point to the network. Even if the instance is not exposed on the Internet, a compromised device on the same network as a vulnerable Desktop Central instance could be used to exploit the vulnerable Desktop Central instance. At that point, the vulnerability could be used to deploy malware laterally to other computers on the network. Similar tactics have been seen with victim Managed Service Providers (MSP) remote monitoring and management (RMM) tools to deploy ransomware to all of the MSP’s clients.


  • Zoho has released Desktop Central version 10.0.479 which patches this vulnerability.

Ingalls recommends the following actions:

  • To determine if your Desktop Central instance has been compromised, Zoho provides the following guidance:
    • If there is any file with these names (txt, logger.zip, mdmlogs.zip, managedprofile_mdmlogs.zip) under the folder \ManageEngine\DesktopCentral_Server\webapps\DesktopCentral\_chart, then your installation has been compromised.
    • If there is a presence of the file in this path “C:\Users\Public\install.bat”, then your system has been compromised. (Ingalls recommends checking under other users as well).
  • If any of these files (logger.txt, logger.zip, mdmlogs.zip, managedprofile_mdmlogs.zip) is present under the folder \ManageEngine\DesktopCentral_Server\webapps\DesktopCentral\_chart, follow the below-mentioned steps to apply the fix:
  • If you spot “C:\Users\Public\install.bat” (or other users), follow the below-mentioned steps for mitigation:
Share :

Sign Up For Netsec News Weekly