CVE-2020-9367

HIGH

Zohocorp Manageengine Desktop Central - Uncontrolled Search Path

Title source: rule

Description

The MPS Agent in Zoho ManageEngine Desktop Central MSP build MSP build 10.0.486 is vulnerable to DLL Hijacking: dcinventory.exe and dcconfig.exe try to load CSUNSAPI.dll without supplying the complete path. The issue is aggravated because this DLL is missing from the installation, thus making it possible to hijack the DLL and subsequently inject code, leading to an escalation of privilege to NT AUTHORITY\SYSTEM.

References (1)

[Vendor Advisory] https://www.manageengine.com/desktop-management-msp/dll-hijacking-vulnerability.html

Scores

CVSS v3 7.8

EPSS 0.0018

EPSS Percentile 39.7%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Classification

CWE

CWE-427

Status published

Affected Products (1)

zohocorp/manageengine_desktop_central

Timeline

Published Mar 18, 2021

Tracked Since Feb 18, 2026