Design Issue in Zoho ManageEngine Desktop Central and Remote Access Plus
CVE-2020-15589

8.1HIGH

Key Information:

Vendor: Zohocorp
Status: Manageengine Desktop Central; Manageengine Remote Access Plus
Vendor: CVE Published:; 2 October 2020

What is CVE-2020-15589?

A design issue exists within the GetInternetRequestHandle, InternetSendRequestEx, and InternetSendRequestByBitrate functions in the client side of Zoho ManageEngine Desktop Central and Remote Access Plus. This vulnerability allows an attacker to manipulate the client to bypass TLS certificate validation. As a result, it poses a risk of a man-in-the-middle attack on HTTPS connections. Additionally, this exploitation could lead to unauthenticated remote code execution, significantly jeopardizing the security of the system.

References

https://www.manageengine.com/products/desktop-central/

x_refsource_MISC

https://www.manageengine.com/products/desktop-central/unt...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 2, 2020
Vulnerability Reserved
Jul 7, 2020

Zohocorp

What is CVE-2020-15589?

References

CVSS V3.1

Timeline