CVE-2020-10189

CRITICAL KEV NUCLEI

Zohocorp Manageengine Desktop Central - Insecure Deserialization

Title source: rule

Description

Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets.

Exploits (3)

nomisec WORKING POC 2 stars
by zavke · remote
https://github.com/zavke/CVE-2020-10189-ManageEngine
exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotemultiple
https://www.exploit-db.com/exploits/48224
metasploit WORKING POC GREAT
by mr_me, wvu · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/desktopcentral_deserialization.rb

Nuclei Templates (1)

ManageEngine Desktop Central Java Deserialization
CRITICALVERIFIEDby king-alexander
Shodan: http.title:"manageengine desktop central 10"
FOFA: body="manageengine desktop central 10" || title="manageengine desktop central 10" || app="zoho-manageengine-desktop"

References (7)

Scores

CVSS v3 9.8
EPSS 0.9425
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation Intel

CISA KEV 2021-11-03
VulnCheck KEV 2020-03-25
InTheWild.io 2021-07-23
ENISA EUVD EUVD-2020-2650

Classification

CWE
CWE-502
Status published

Affected Products (1)

zohocorp/manageengine_desktop_central < 10.0.479

Timeline

Published Mar 06, 2020
KEV Added Nov 03, 2021
Tracked Since Feb 18, 2026