A zero-day vulnerability is discovered in Zoho ManageEngine Desktop Central endpoint which could cause serious damage to customers if exploited.
web-based office suite and SaaS provider, Zoho, was revealed to contain a zero-day vulnerability in the ManageEngine Desktop Central endpoint.
ManageEngine Desktop Central endpoint is an endpoint management tool that helps managed service providers (MSPs) remotely manage laptops, smartphones, servers, etc. from a central location.
An information security specialist named Steven Seeley discovered the vulnerability and shared it on Twitter saying that Zoho “typically ignores researchers.” He disclosed details on the issue:
“This vulnerability allows remote attackers to execute arbitrary code on affected installations of ManageEngine Desktop Central. Authentication is not required to exploit this vulnerability.” Seeley says.
The vulnerability is within the FileStorage class; It could enable unauthenticated threat actors to attack and to execute code under the context of SYSTEM.
“The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data,” Seeley explained.
The overall CVSS Score is 9.8 ranking the vulnerability as critical; based on its CVSS score, complex methods and user interaction are not required to exploit the zero-day.
The vulnerability could cause organizations and managed service providers (MSPs) that use Zoho ManageEngine to become the target of ransomware attacks.
According to Shodan, there are more than 2,300 installations of the ManageEngine that can be reached over the Internet.
Zoho stated that they have identified the problem and are working on a patch and it will be released once it is done.
Zoho fixed the zero-day
Secure Your Organization’s Mind with Securemind.se