CVE-2022-23863: 
Zoho ManageEngine Desktop Central Server vulnerability analysis and mitigation

A privilege escalation vulnerability (CVE-2022-23863) was identified in Zoho ManageEngine Desktop Central and Endpoint Central MSP before version 10.1.2137.10. The vulnerability was discovered and disclosed in January 2022, with the fix being released on January 25, 2022. The affected systems include ManageEngine Desktop Central and Endpoint Central MSP installations prior to build 10.1.2137.10 (ManageEngine Advisory).

The vulnerability allows an authenticated web user to change passwords of other users' accounts, including those with higher privileges. This security flaw was addressed in build 10.1.2137.10, which was released as both a quick fix (QPM upgrade) and a standard upgrade (PPM upgrade) (ManageEngine Advisory).

The vulnerability could lead to privilege escalation within the affected systems, as it enables authenticated users to modify the login credentials of more privileged accounts, potentially leading to unauthorized access and system compromise (ManageEngine Advisory).

ManageEngine has released build 10.1.2137.10 to address this vulnerability. For users on build 10.1.2137.9, a quick fix (QPM upgrade) was made available. Users on other builds need to upgrade to version 10.1.2137.10 using the standard PPM upgrade process. The fix can be verified by navigating to Support -> Upgrade Details in the Endpoint Central console (ManageEngine Advisory).