CVE-2020-10189
published 2020-03-06CVE-2020-10189: Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage…
PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
99.94%
100.0th percentile
Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | manageengine_desktop_central | < 10.0.479 | 10.0.479 |
Detection & IOCsextracted from sources · hover to see the quote
url/mdm/client/v1/mdmLogUploader?udid=si%5C..%5C..%5C..%5Cwebapps%5CDesktopCentral%5C_chart&filename=logger.zip
url/cewolf/?img=%5Clogger.zip
snort↗
SID 53433-53435
- →Detect the two-stage exploit: first a POST to /mdm/client/v1/mdmLogUploader with path-traversal in the 'udid' parameter targeting the _chart directory, followed by a GET to /cewolf/ with the 'img' parameter pointing to the uploaded file to trigger deserialization. ↗
- →Look for path-traversal sequences in the 'udid' GET parameter of requests to /mdm/client/v1/mdmLogUploader, specifically patterns like 'si\..\..\..\webapps\DesktopCentral\_chart'. ↗
- →Monitor for POST requests to MDMLogUploaderServlet and CewolfServlet endpoints with Content-Type: application/octet-stream, which may indicate serialized Java payload upload. ↗
- →Check the Desktop Central build number via the 'buildNum' input field in configurations.do responses; versions below 10.0.474 are vulnerable. ↗
- →Use FOFA/Shodan queries to identify exposed instances: search for body containing 'manageengine desktop central 10' or HTTP title 'manageengine desktop central 10'.
- →The exploit uses certutil as the CmdStager flavor for payload delivery on Windows; monitor for certutil invocations spawned from the Desktop Central server process. ↗
- →Exploitation results in SYSTEM/root-level code execution; alert on child processes spawned by the Desktop Central service with elevated privileges. ↗
- ·The exploit is a two-step process: step 1 uploads the serialized payload via MDMLogUploaderServlet; step 2 triggers deserialization via CewolfServlet. Both HTTP requests must be detected together for reliable alerting.
- ·The Metasploit module notes FIRST_ATTEMPT_FAIL reliability — payload upload may fail on the first attempt — meaning a single failed request should not be used as the sole detection signal; look for repeated attempts. ↗
- ·The module notes SERVICE_RESOURCE_LOSS as a side effect (may 404 the upload page), so availability impact on the upload endpoint may be observed post-exploitation. ↗
- ·The short-term fix (build 10.0.474) addressed only the arbitrary file upload; the complete RCE fix requires build 10.0.479. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cx3q-6fpx-362x: Zoho ManageEngine Desktop Central 10 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage cla
ghsa_unreviewed·2022-05-24
CVE-2020-10189 [HIGH] CWE-502 GHSA-cx3q-6fpx-362x: Zoho ManageEngine Desktop Central 10 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage cla
Zoho ManageEngine Desktop Central 10 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets.
VulnCheck
Zoho ManageEngine Desktop Central File Upload Vulnerability
vulncheck·2020·CVSS 9.8
CVE-2020-10189 [CRITICAL] CWE-502 Zoho ManageEngine Desktop Central File Upload Vulnerability
Zoho ManageEngine Desktop Central File Upload Vulnerability
Zoho ManageEngine Desktop Central contains a file upload vulnerability that allows for unauthenticated remote code execution.
Affected: Zoho ManageEngine
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.mandiant.com/resources/blog/apt41-initiates-global-intrusion-campaign-using-multiple-exploits; https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer; https://www.bleepingcomputer.com/news/security/us-charges-chinese-winnti-hackers-for-attacking-100-plus-companies/; https://cisa.gov/news-events/cybersecurity-advisories/aa20-275a; https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_
CISA
Zoho ManageEngine Desktop Central File Upload Vulnerability
cisa·2021-11-03·CVSS 9.8
CVE-2020-10189 [CRITICAL] CWE-502 Zoho ManageEngine Desktop Central File Upload Vulnerability
Vulnerability: Zoho ManageEngine Desktop Central File Upload Vulnerability
Affected: Zoho ManageEngine
Zoho ManageEngine Desktop Central contains a file upload vulnerability that allows for unauthenticated remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2020-10189
Remediation Due Date: 2022-05-03
Suricata
ET EXPLOIT Zoho ManageEngine Desktop Central RCE Inbound (CVE-2020-10189)
suricata·2020-03-12·CVSS 9.8
CVE-2020-10189 [CRITICAL] ET EXPLOIT Zoho ManageEngine Desktop Central RCE Inbound (CVE-2020-10189)
ET EXPLOIT Zoho ManageEngine Desktop Central RCE Inbound (CVE-2020-10189)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Zoho ManageEngine Desktop Central RCE Inbound (CVE-2020-10189)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/mdm/client/v1/mdmLogUploader?udid=si|5c|..|5c|..|5c|..|5c|webapps|5c|DesktopCentral|5c|_chart&filename="; startswith; fast_pattern; http.request_body; content:"|ac ed 00 05 73 72 00 17 6a 61 76 61 2e 75 74 69 6c 2e 50 72 69 6f 72 69 74 79 51 75 65 75 65 94|"; startswith; reference:url,twitter.com/steventseeley/status/1235635108498948096; reference:cve,2020-10189; reference:url,www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html; classtype:attempted-admin; sid:2029618; rev:2;
Exploit-DB
ManageEngine Desktop Central - Java Deserialization (Metasploit)
exploitdb·2020-03-17
CVE-2020-10189 ManageEngine Desktop Central - Java Deserialization (Metasploit)
ManageEngine Desktop Central - Java Deserialization (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'ManageEngine Desktop Central Java Deserialization',
'Description' => %q{
This module exploits a Java deserialization vulnerability in the
getChartImage() method from the FileStorage class within ManageEngine
Desktop Central versions [
'mr_me', # Discovery and exploit
'wvu' # Module
],
'References' => [
['CVE', '2020-10189'],
['URL', 'https://srcincite.io/advisories/src-2020-0011/'],
['URL', 'https://srcincite.io/pocs/src-2020-0011.py.txt'],
['URL', 'https://twitter.com/steventseeley/status/1235635108498948096'],
['URL', 'https://www.manageengine.com/products/d
Nuclei
ManageEngine Desktop Central Java Deserialization
nuclei·CVSS 9.8
CVE-2020-10189 [CRITICAL] ManageEngine Desktop Central Java Deserialization
ManageEngine Desktop Central Java Deserialization
Zoho ManageEngine Desktop Central before 10.0.474 is vulnerable to a deserialization of untrusted data, which permits remote code execution.
Template:
id: CVE-2020-10189
info:
name: ManageEngine Desktop Central Java Deserialization
author: king-alexander
severity: critical
description: |
Zoho ManageEngine Desktop Central before 10.0.474 is vulnerable to a deserialization of untrusted data, which permits remote code execution.
impact: |
Unauthenticated attackers can execute arbitrary code on Zoho ManageEngine Desktop Central servers, leading to complete system compromise and access to all managed endpoints.
remediation: |
Upgrade to ManageEngine Desktop Central Build 10.0.474 or later.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-20
Metasploit
ManageEngine Desktop Central Java Deserialization
metasploit
ManageEngine Desktop Central Java Deserialization
ManageEngine Desktop Central Java Deserialization
This module exploits a Java deserialization vulnerability in the getChartImage() method from the FileStorage class within ManageEngine Desktop Central versions < 10.0.474. Tested against 10.0.465 x64. Quoting the vendor's advisory on fixed versions: "The short-term fix for the arbitrary file upload vulnerability was released in build 10.0.474 on January 20, 2020. In continuation of that, the complete fix for the remote code execution vulnerability is now available in build 10.0.479."
Tenable
CVE-2022-47523: ManageEngine Password Manager Pro, PAM360 and Access Manager Plus SQL Injection Vulnerability
blogs_tenable·2023-01-05·CVSS 9.8
[CRITICAL] CVE-2022-47523: ManageEngine Password Manager Pro, PAM360 and Access Manager Plus SQL Injection Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Trendmicro
Manage Zero Day Exploits (ZDI) with Trend Micro Solutions
blogs_trendmicro·2021-04-28
Manage Zero Day Exploits (ZDI) with Trend Micro Solutions
Cyberbedrohungen
## How Trend Micro Helps Manage Exploited Vulnerabilities
As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Read how Trend Micro protects customers from vulnerability exploits by blocking them as early as possible.
By: Jon Clay Apr 28, 2021 Read time: ( words)
Save to Folio
As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Exploiting known vulnerabilities to successfully compromise an organization has long been a common tactic used by malicious actors. Whether Heartbleed, EternalBlue, or most recently Zerologon, threat actors take advantage of newly disclosed vulnerabilities in their attacks. But even with thousands of new vulnerabili
Trendmicro
Manage Zero Day Exploits (ZDI) with Trend Micro Solutions
blogs_trendmicro·2021-04-28
Manage Zero Day Exploits (ZDI) with Trend Micro Solutions
Cyber Threats
## How Trend Micro Helps Manage Exploited Vulnerabilities
As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Read how Trend Micro protects customers from vulnerability exploits by blocking them as early as possible.
By: Jon Clay 2021/04/28 Read time: ( words)
Save to Folio
As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Exploiting known vulnerabilities to successfully compromise an organization has long been a common tactic used by malicious actors. Whether Heartbleed, EternalBlue, or most recently Zerologon, threat actors take advantage of newly disclosed vulnerabilities in their attacks. But even with thousands of new vulnerabilities
Trendmicro
Manage Zero Day Exploits (ZDI) with Trend Micro Solutions
blogs_trendmicro·2021-04-28
Manage Zero Day Exploits (ZDI) with Trend Micro Solutions
Minacce cyber
## How Trend Micro Helps Manage Exploited Vulnerabilities
As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Read how Trend Micro protects customers from vulnerability exploits by blocking them as early as possible.
By: Jon Clay Apr 28, 2021 Read time: ( words)
Save to Folio
As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Exploiting known vulnerabilities to successfully compromise an organization has long been a common tactic used by malicious actors. Whether Heartbleed, EternalBlue, or most recently Zerologon, threat actors take advantage of newly disclosed vulnerabilities in their attacks. But even with thousands of new vulnerabilitie
Trendmicro
Manage Zero Day Exploits (ZDI) with Trend Micro Solutions
blogs_trendmicro·2021-04-28
Manage Zero Day Exploits (ZDI) with Trend Micro Solutions
Ciberamenazas
## How Trend Micro Helps Manage Exploited Vulnerabilities
As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Read how Trend Micro protects customers from vulnerability exploits by blocking them as early as possible.
By: Jon Clay Apr 28, 2021 Read time: ( words)
Save to Folio
As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Exploiting known vulnerabilities to successfully compromise an organization has long been a common tactic used by malicious actors. Whether Heartbleed, EternalBlue, or most recently Zerologon, threat actors take advantage of newly disclosed vulnerabilities in their attacks. But even with thousands of new vulnerabilitie
Trendmicro
Manage Zero Day Exploits (ZDI) with Trend Micro Solutions
blogs_trendmicro·2021-04-28
Manage Zero Day Exploits (ZDI) with Trend Micro Solutions
Cyber Threats
## How Trend Micro Helps Manage Exploited Vulnerabilities
As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Read how Trend Micro protects customers from vulnerability exploits by blocking them as early as possible.
By: Jon Clay Apr 28, 2021 Read time: ( words)
Save to Folio
As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Exploiting known vulnerabilities to successfully compromise an organization has long been a common tactic used by malicious actors. Whether Heartbleed, EternalBlue, or most recently Zerologon, threat actors take advantage of newly disclosed vulnerabilities in their attacks. But even with thousands of new vulnerabilitie
Trendmicro
Manage Zero Day Exploits (ZDI) with Trend Micro Solutions
blogs_trendmicro·2021-04-28
Manage Zero Day Exploits (ZDI) with Trend Micro Solutions
Cyber Threats
# How Trend Micro Helps Manage Exploited Vulnerabilities
As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Read how Trend Micro protects customers from vulnerability exploits by blocking them as early as possible.
By: Jon Clay
2021/04/28
Read time: ( words)
Save to Folio
Photo credit: pxhere
As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Exploiting known vulnerabilities to successfully compromise an organization has long been a common tactic used by malicious actors. Whether Heartbleed, EternalBlue, or most recently Zerologon, threat actors take advantage of newly disclosed vulnerabilities in their attacks. But even with thousands o
Unit42
Threat Brief: FireEye Red Team Tool Breach
blogs_unit42·2020-12-11
Threat Brief: FireEye Red Team Tool Breach
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: FireEye Red Team Tool Breach
Unit 42
Published: December 10, 2020
High Profile Threats
Malware
Vulnerabilities
FireEye breach
## Executive Summary
On Dec. 8, 2020, one of the leading cybersecurity companies in the industry, FireEye, reported a breach and data exfiltration unlike any that we have seen previously. What makes this attack unique is not only the target, FireEye being a well-known cybersecurity company, but that the stolen data contains the internal, custom-crafted red-team and penetration testing tools used by the company to imitate different threat actors during customer security consultations. FireEye’s blog provided a wealth of information for defenders to implement security controls
Unit42
Threat Brief: FireEye Red Team Tool Breach
blogs_unit42·2020-12-11
Threat Brief: FireEye Red Team Tool Breach
## Executive Summary
On Dec. 8, 2020, one of the leading cybersecurity companies in the industry, FireEye, reported a breach and data exfiltration unlike any that we have seen previously. What makes this attack unique is not only the target, FireEye being a well-known cybersecurity company, but that the stolen data contains the internal, custom-crafted red-team and penetration testing tools used by the company to imitate different threat actors during customer security consultations. FireEye’s blog provided a wealth of information for defenders to implement security controls and mitigations for defense against the stolen tools. This data is being used by Palo Alto Networks to help ensure our customers are protected if the attackers choose to utilize the tools for malicious purposes.
It i
Fortinet
FireEye Red Team Tool Breach | Fortinet
blogs_fortinet·2020-12-11·CVSS 8.8
[HIGH] FireEye Red Team Tool Breach | Fortinet
PSIRT BLOGS
FireEye Red Team Tool Breach
By Carl Windsor | December 11, 2020
Executive Summary
On December 8th cyber security vendor FireEye reported a breach of their network and data exfiltration which included their internally developed Red Team tools. FireEye took the step of publishing details of these tools in a GitHub repository to allow other vendors to protect against their use by potential adversaries.
This breach has been attributed to a nation state threat actor so we do not expect to see these tools be widely abused in the wild, however with the additional information provided by FireEye, Fortinet have been able to ensure that these tools cannot be abused.
Threat Mitigation
None of the vulnerabilities disclosed as targeted in the tools were zero days, therefore FortiGuard
Qualys
Solorigate/Sunburst : Theft of Cybersecurity Tools | FireEye Breach
blogs_qualys·2020-12-10
Solorigate/Sunburst : Theft of Cybersecurity Tools | FireEye Breach
Update Jan 5, 2021 : New patching section with two new dashboard widgets showing the number of missing FireEye-related patches in your environment and the number of assets in your environment missing one of those patches.
Update Dec 23, 2020 : Added a new section on compensating controls.
Update Dec 22, 2020: FireEye disclosed the theft of their Red Team assessment tools. Hackers now have an influential collection of new techniques to draw upon.
Using Qualys VMDR, the vulnerabilities for Solorigate/SUNBURST can be prioritized for the following Real-Time Threat Indicators (RTIs):
Active Attacks
Solorigate Sunburst ( New RTI )
Original post : On December 8, 2020, FireEye disclosed theft of their Red Team assessment tools. These tools are used by FireEye to test and validate the securit
Qualys
Solorigate/Sunburst : Theft of Cybersecurity Tools | FireEye Breach | Qualys
blogs_qualys·2020-12-10
Solorigate/Sunburst : Theft of Cybersecurity Tools | FireEye Breach | Qualys
Update Jan 5, 2021: New patching section with two new dashboard widgets showing the number of missing FireEye-related patches in your environment and the number of assets in your environment missing one of those patches.
Update Dec 23, 2020: Added a new section on compensating controls.
Update Dec 22, 2020: FireEye disclosed the theft of their Red Team assessment tools. Hackers now have an influential collection of new techniques to draw upon.
Using Qualys VMDR, the vulnerabilities for Solorigate/SUNBURST can be prioritized for the following Real-Time Threat Indicators (RTIs):
- Active Attacks
- Solorigate Sunburst (New RTI)
Original post: On December 8, 2020, FireEye disclosed theft of their Red Team assessment tools. These tools are used by FireEye to test and validate the security
Zscaler
SolarWinds CyberAttack and FireEye Red Team Tools Coverage
blogs_zscaler·2020-12-09
SolarWinds CyberAttack and FireEye Red Team Tools Coverage
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Tenable
Government Agencies Warn of State-Sponsored Actors Exploiting Publicly Known Vulnerabilities
blogs_tenable·2020-10-23
Government Agencies Warn of State-Sponsored Actors Exploiting Publicly Known Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
NSA Alert: Chinese State-Sponsored Actors Exploit Known Vulnerabilities | Qualys
blogs_qualys·2020-10-22·CVSS 9.8
CVE-2020-15505 [CRITICAL] NSA Alert: Chinese State-Sponsored Actors Exploit Known Vulnerabilities | Qualys
#### Table of Contents
- Detect 25 Publicly Known Vulnerabilities using VMDR
Update November 25, 2020: The UK National Cyber Security Centre alerts that APT nation-state groups and cybercriminals are exploiting MobileIron RCE vulnerability (CVE-2020-15505).
Original post: On October 20, 2020, the United States National Security Agency (NSA) released a cybersecurity advisory on Chinese state-sponsored malicious cyber activity. The NSA alert provided a list of 25 publicly known vulnerabilities that are known to be recently leveraged by cyber actors for various hacking operations.
“Since these techniques include exploitation of publicly known vulnerabilities, it is critical that network defenders prioritize patching and
mitigation efforts,” said the NSA advisory. It also recommended “crit
Qualys
NSA Alert: Chinese State-Sponsored Actors Exploit Known Vulnerabilities
blogs_qualys·2020-10-22·CVSS 10.0
CVE-2020-15505 [CRITICAL] NSA Alert: Chinese State-Sponsored Actors Exploit Known Vulnerabilities
## Table of Contents
Detect 25 Publicly Known Vulnerabilities using VMDR
Update November 25, 2020 : The UK National Cyber Security Centre alerts that APT nation-state groups and cybercriminals are exploiting MobileIron RCE vulnerability (CVE-2020-15505).
Original post : On October 20, 2020, the United States National Security Agency (NSA) released a cybersecurity advisory on Chinese state-sponsored malicious cyber activity. The NSA alert provided a list of 25 publicly known vulnerabilities that are known to be recently leveraged by cyber actors for various hacking operations.
“Since these techniques include exploitation of publicly known vulnerabilities, it is critical that network defenders prioritize patching and mitigation efforts,” said the NSA advisory. It also recommended “critic
Talos
Threat Source newsletter (March 19, 2020)
blogs_talos·2020-03-19
Threat Source newsletter (March 19, 2020)
Newsletter compiled by Jon Munshaw.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
We hope everyone is staying home (if possible) and staying safe. Unfortunately, the bad guys aren’t going anywhere, so we’re still plugging away remotely. Hasn’t anyone told them we need a break?
COVID-19 is obviously on the top of everyone’s mind. We are working on some new content around working from home and COVID-related malware. In the meantime, go back and read our post from February about attackers trying to take advantage of coronavirus panic.
And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.
### Upcoming public engagements
Event: “Everyone
Tenable
CVE-2020-10189: Deserialization Vulnerability in Zoho ManageEngine Desktop Central 10 Patched (SRC-2020-0011)
blogs_tenable·2020-03-06·CVSS 9.8
[CRITICAL] CVE-2020-10189: Deserialization Vulnerability in Zoho ManageEngine Desktop Central 10 Patched (SRC-2020-0011)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Threat Intel
APT41 (APT41, Wicked Panda, Brass Typhoon)
threat_intel
APT41 (APT41, Wicked Panda, Brass Typhoon)
# Threat Actor Profile: APT41
ATT&CK ID: G0096
Also known as: APT41, Wicked Panda, Brass Typhoon, BARIUM
Suspected origin: China
## Overview
APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.(Citation: apt41_mandiant) Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 202
arXiv
Technical Report -- Expected Exploitability: Predicting the Development of Functional Vulnerability Exploits
arxiv_fulltext·2022-02-03
Technical Report -- Expected Exploitability: Predicting the Development of Functional Vulnerability Exploits
Octavian Suciu,
Connor Nelson ,
Zhuoer Lyu ,
Tiffany Bao ,
Tudor Dumitras
University of Maryland, College Park
State University
comment
\@IEEEpubidpullup6.5
Network and Distributed Systems Security (NDSS) Symposium 2020
23-26 February 2020, San Diego, CA, USA
ISBN 1-891562-61-4
https://dx.doi.org/10.14722/ndss.2020.23xxx
www.ndss-symposium.org
[ ]
comment
empty
## Abstract
Assessing the exploitability of software vulnerabilities at the time of disclosure is difficult and error-prone, as features extracted via technical analysis by existing metrics are poor predictors for exploit development.
Moreover, exploitability assessments suffer from a class bias because ``not exploitable'' labels could be inaccurate.
To overcome these challenges, we propose a new metric, called Expecte
http://packetstormsecurity.com/files/156730/ManageEngine-Desktop-Central-Java-Deserialization.htmlhttps://cwe.mitre.org/data/definitions/502.htmlhttps://srcincite.io/advisories/src-2020-0011/https://srcincite.io/pocs/src-2020-0011.py.txthttps://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.htmlhttps://www.zdnet.com/article/zoho-zero-day-published-on-twitter/http://packetstormsecurity.com/files/156730/ManageEngine-Desktop-Central-Java-Deserialization.htmlhttps://cwe.mitre.org/data/definitions/502.htmlhttps://srcincite.io/advisories/src-2020-0011/https://srcincite.io/pocs/src-2020-0011.py.txthttps://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.htmlhttps://www.zdnet.com/article/zoho-zero-day-published-on-twitter/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-10189
2020-03-06
Published
2021-11-03
Added to CISA KEV
Exploited in the wild