cbcvebase.
CVE-2020-10189
published 2020-03-06

CVE-2020-10189: Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage…

PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
99.94%
100.0th percentile
Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets.

Affected

1 ranges
VendorProductVersion rangeFixed in
zohocorpmanageengine_desktop_central< 10.0.47910.0.479

Detection & IOCsextracted from sources · hover to see the quote

url/mdm/client/v1/mdmLogUploader?udid=si%5C..%5C..%5C..%5Cwebapps%5CDesktopCentral%5C_chart&filename=logger.zip
url/cewolf/?img=%5Clogger.zip
path\webapps\DesktopCentral\_chart\logger.zip
port8383
snort
SID 53433-53435
  • Detect the two-stage exploit: first a POST to /mdm/client/v1/mdmLogUploader with path-traversal in the 'udid' parameter targeting the _chart directory, followed by a GET to /cewolf/ with the 'img' parameter pointing to the uploaded file to trigger deserialization.
  • Look for path-traversal sequences in the 'udid' GET parameter of requests to /mdm/client/v1/mdmLogUploader, specifically patterns like 'si\..\..\..\webapps\DesktopCentral\_chart'.
  • Monitor for POST requests to MDMLogUploaderServlet and CewolfServlet endpoints with Content-Type: application/octet-stream, which may indicate serialized Java payload upload.
  • Check the Desktop Central build number via the 'buildNum' input field in configurations.do responses; versions below 10.0.474 are vulnerable.
  • Use FOFA/Shodan queries to identify exposed instances: search for body containing 'manageengine desktop central 10' or HTTP title 'manageengine desktop central 10'.
  • The exploit uses certutil as the CmdStager flavor for payload delivery on Windows; monitor for certutil invocations spawned from the Desktop Central server process.
  • Exploitation results in SYSTEM/root-level code execution; alert on child processes spawned by the Desktop Central service with elevated privileges.
  • ·The exploit is a two-step process: step 1 uploads the serialized payload via MDMLogUploaderServlet; step 2 triggers deserialization via CewolfServlet. Both HTTP requests must be detected together for reliable alerting.
  • ·The Metasploit module notes FIRST_ATTEMPT_FAIL reliability — payload upload may fail on the first attempt — meaning a single failed request should not be used as the sole detection signal; look for repeated attempts.
  • ·The module notes SERVICE_RESOURCE_LOSS as a side effect (may 404 the upload page), so availability impact on the upload endpoint may be observed post-exploitation.
  • ·The short-term fix (build 10.0.474) addressed only the arbitrary file upload; the complete RCE fix requires build 10.0.479.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.