CVE-2020-15589
HIGHManageEngine Desktop Central 10.0.552.W & Remote Access Plus < 10.1.2119.1 - RCE via TLS Bypass
Title source: llmDescription
A design issue was discovered in GetInternetRequestHandle, InternetSendRequestEx and InternetSendRequestByBitrate in the client side of Zoho ManageEngine Desktop Central 10.0.552.W and Remote Access Plus before 10.1.2119.1. By exploiting this issue, an attacker-controlled server can force the client to skip TLS certificate validation, leading to a man-in-the-middle attack against HTTPS and unauthenticated remote code execution.
References (2)
Core 2
Core References
Product, Vendor Advisory x_refsource_misc
https://www.manageengine.com/products/desktop-central/
Vendor Advisory x_refsource_confirm
https://www.manageengine.com/products/desktop-central/untrusted-agent-server-communication.html
Scores
CVSS v3
8.1
EPSS
0.0358
EPSS Percentile
87.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
Status
published
Products (2)
zohocorp/manageengine_desktop_central
10.0.552.w
zohocorp/manageengine_remote_access_plus
< 10.1.2119.1
Published
Oct 02, 2020
Tracked Since
Feb 18, 2026