CVE-2021-46164: 
Zoho ManageEngine Desktop Central Server vulnerability analysis and mitigation

Zoho ManageEngine Desktop Central before version 10.0.662 contains a remote code execution vulnerability that allows authenticated users with complete access to the Reports module to execute arbitrary commands. The vulnerability was identified and fixed in build 10.0.662, released on May 3, 2021 (Vendor Advisory).

The vulnerability exists in the Reports module of Desktop Central where users with complete access to this module could execute commands leading to remote code execution. The vulnerability has been assigned a CVSS v3.1 Base Score of 8.8 HIGH with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows authenticated users with complete access to the Reports module to execute arbitrary commands on the system, potentially leading to complete system compromise. Additionally, users could access sensitive information from the database through the Reports page (Vendor Advisory).

The vulnerability has been patched in Desktop Central build 10.0.662. As part of the fix, the access level for the Reports module has been downgraded to Read-Only for all users, and measures have been implemented to prevent access to sensitive database tables. Organizations should upgrade to version 10.0.662 or later to address this vulnerability. The vulnerability does not affect the cloud edition of Desktop Central (Vendor Advisory).