CVE-2020-10189

CRITICAL KEV NUCLEI

ManageEngine Desktop Central < 10.0.479 - Remote Code Execution via Java Deserialization in FileStorage

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2020-10189 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 3 public exploits from researchers including Metasploit, zavke, mr_me, wvu, including a Metasploit module exploits/windows/http/desktopcentral_deserialization. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits a Java deserialization vulnerability in ManageEngine Desktop Central via the getChartImage() method in the FileStorage class. It uploads a serialized payload to trigger remote code execution on vulnerable versions (< 10.0.474).

Description

Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotemultiple
https://www.exploit-db.com/exploits/48224

This Metasploit module exploits a Java deserialization vulnerability in ManageEngine Desktop Central via the getChartImage() method in the FileStorage class. It uploads a serialized payload to trigger remote code execution on vulnerable versions (< 10.0.474).

Classification
Working Poc 100%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: ManageEngine Desktop Central < 10.0.474
No auth needed
Prerequisites: Network access to the target server · Vulnerable version of ManageEngine Desktop Central
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 2 stars
by zavke · remote
https://github.com/zavke/CVE-2020-10189-ManageEngine

This PoC exploits a deserialization vulnerability in ManageEngine Desktop Central via the CewolfServlet, allowing unauthenticated remote code execution as SYSTEM/root. The exploit leverages the MDMLogUploaderServlet to plant a malicious serialized file, which is then deserialized by the CewolfServlet.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ManageEngine Desktop Central (versions prior to the patch for CVE-2020-10189)
No auth needed
Prerequisites: Network access to the target server · ManageEngine Desktop Central with vulnerable CewolfServlet and MDMLogUploaderServlet endpoints exposed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GREAT
by mr_me, wvu · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/desktopcentral_deserialization.rb

This Metasploit module exploits a Java deserialization vulnerability (CVE-2020-10189) in ManageEngine Desktop Central versions < 10.0.474. It uploads a serialized payload via a path traversal and triggers deserialization to achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ManageEngine Desktop Central < 10.0.474
No auth needed
Prerequisites: Network access to the target · Vulnerable version of ManageEngine Desktop Central
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

ManageEngine Desktop Central Java Deserialization
CRITICALVERIFIEDby king-alexander
Shodan: http.title:"manageengine desktop central 10"
FOFA: body="manageengine desktop central 10" || title="manageengine desktop central 10" || app="zoho-manageengine-desktop"

References (7)

Core 7

Scores

CVSS v3 9.8
EPSS 0.9425
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2021-11-03
VulnCheck KEV 2020-03-25
InTheWild.io 2021-07-23
ENISA EUVD EUVD-2020-2650
CWE
CWE-502
Status published
Products (1)
zohocorp/manageengine_desktop_central < 10.0.479
Published Mar 06, 2020
KEV Added Nov 03, 2021
Tracked Since Feb 18, 2026