A serious security flaw has been detected in Zoho ManageEngine, a widely used IT management solution and bug hunters have published a proof of concept (PoC) code on GitHub to demonstrate the exploit.
The flaw, tracked as CVE-2020-10189, resides in the ManageEngine ServiceDesk Plus and Networks service and allows an attacker to execute arbitrary code remotely, without any authentication process.
According to researcher Ankit Anubhav, ManageEngine products are widely used by organizations with over 200,000 customers.
“ManageEngine is one of the leading providers of on-premises, cloud, mobile and IoT unified management across IT, security and IT operations, with over 200,000 customers worldwide.” reads the post published by Anubhav. “This blog is a heads-up to the 200k customer-base of ManageEngine ServiceDesk Plus and ManageEngine Network to patch the RCE threat immediately.”
The expert discovered the Zoho ManageEngine flaw while digging in the InvokeDirect_PowershellAction operation handler in the DESApplication.dll application.
Anubhav reported the flaw to Ivanti’s security team and released an exploit PoC code on GitHub. The PoC code implements an unauthenticated remote code execution attack.
“This code will remotely execute the cmd.exe command and will show the result in the UI of the application,” reads the PoC code.
The Ivanti security team promptly addressed the issue by releasing security patches.
Users need to apply the patch as soon as possible to prevent attack leveraging the vulnerability.
This Cyber News was published on securityaffairs.com. Publication date: Sun, 22 Jan 2023 10:48:00 +0000