Attacker Value
High
(1 user assessed)
Exploitability
Very Low
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
1

CVE-2020-15588

Disclosure Date: July 29, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

An issue was discovered in the client side of Zoho ManageEngine Desktop Central 10.0.552.W. An attacker-controlled server can trigger an integer overflow in InternetSendRequestEx and InternetSendRequestByBitrate that leads to a heap-based buffer overflow and Remote Code Execution with SYSTEM privileges.

Add Assessment

6
Ratings
Technical Analysis

CVE-2020-15589 and CVE-2020-24397 are grouped together with this.

I want to clarify that these are client-side vulnerabilities in ManageEngine Desktop Central. Exploiting them will certainly require MITM or other control of the network.

Details and a PoC are available, so patch this immediately. Desktop Central is UEM software, and while this is a set of client-side vulns, you don’t want attackers taking advantage of such critical software.

General Information

Additional Info

Technical Analysis