CVE-2020-10189

CRITICAL KEV NUCLEI

Zohocorp Manageengine Desktop Central - Insecure Deserialization

Title source: rule

Description

Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotemultiple
https://www.exploit-db.com/exploits/48224
nomisec WORKING POC 2 stars
by zavke · remote
https://github.com/zavke/CVE-2020-10189-ManageEngine
metasploit WORKING POC GREAT
by mr_me, wvu · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/desktopcentral_deserialization.rb

Nuclei Templates (1)

ManageEngine Desktop Central Java Deserialization
CRITICALVERIFIEDby king-alexander
Shodan: http.title:"manageengine desktop central 10"
FOFA: body="manageengine desktop central 10" || title="manageengine desktop central 10" || app="zoho-manageengine-desktop"

References (7)

Scores

CVSS v3 9.8
EPSS 0.9412
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CISA KEV 2021-11-03
VulnCheck KEV 2020-03-25
InTheWild.io 2021-07-23
ENISA EUVD EUVD-2020-2650
CWE
CWE-502
Status published
Products (1)
zohocorp/manageengine_desktop_central < 10.0.479
Published Mar 06, 2020
KEV Added Nov 03, 2021
Tracked Since Feb 18, 2026