Data Exfiltration Risk in Zoho ManageEngine Device Control Plus
CVE-2022-47578

7.8HIGH

Key Information:

Vendor: Zohocorp
Status: Manageengine Device Control Plus
Vendor: CVE Published:; 20 December 2022

What is CVE-2022-47578?

A significant issue has been discovered in Zoho ManageEngine Device Control Plus where users can bypass established USB device restrictions by booting the system into Safe Mode. This exploitation allows data to be exfiltrated from the device as files can be transferred outside the controlled environment. Even users without administrative rights can execute this method, posing a risk of unauthorized data access and potential malware introduction, despite the vendor's assertion of no product vulnerabilities.

References

https://medium.com/nestedif/vulnerability-disclosure-busi...

https://www.manageengine.com/device-control/how-to/device...

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 20, 2022
Vulnerability Reserved
Dec 19, 2022

Zohocorp

What is CVE-2022-47578?

References

CVSS V3.1

Timeline