CVE-2020-10189: 
Zoho ManageEngine Desktop Central Server vulnerability analysis and mitigation

Zoho ManageEngine Desktop Central before version 10.0.474 contained a critical vulnerability (CVE-2020-10189) that allowed remote code execution through deserialization of untrusted data in the getChartImage functionality of the FileStorage class. The vulnerability was discovered by Steven Seeley of Source Incite and publicly disclosed on March 5, 2020. This vulnerability affected the CewolfServlet and MDMLogUploaderServlet servlets and did not require authentication to exploit (Source Incite, MITRE CVE).

The vulnerability stems from improper validation of user-supplied data in the FileStorage class, specifically in the getChartImage functionality. The flaw allowed attackers to execute arbitrary code under the context of SYSTEM privileges through deserialization of untrusted data. The vulnerability received a CVSS v3 base score of 9.8 (Critical), reflecting its severity with attack vector metrics of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (Source Incite, AttackerKB).

The vulnerability's exploitation could lead to complete system compromise, allowing attackers to execute arbitrary code with SYSTEM/root privileges. This level of access could enable attackers to take full control over ManageEngine systems and potentially affect an organization's entire fleet of managed devices. With more than 2,300 installations exposed on the internet at the time of disclosure, the vulnerability posed a significant risk to corporate networks (ZDNet).

Zoho released a patch in version 10.0.474 on January 20, 2020, providing a short-term fix for the arbitrary file upload vulnerability. The complete fix for the remote code execution vulnerability was made available in build 10.0.479 released on March 7, 2020. Organizations were advised to update to the latest version immediately. For those unable to apply the patch immediately, manual mitigation steps were provided, including removing specific content from the web.xml file and restarting the Desktop Central service (ManageEngine).

The security community expressed concern about the vulnerability's public disclosure without prior vendor notification. Some researchers criticized the disclosure approach as unprofessional, while others defended it, citing previous experiences of being ignored when reporting issues to Zoho. The disclosure triggered immediate attention from security experts who warned about its potential abuse by ransomware groups for supply chain attacks (ZDNet).