Zero Day- A Zoho zero day vulnerability and proof of concept (PoC) exploit code was disclosed on Twitter.
A zero-day vulnerability has been disclosed in the IT help desk ManageEngine software made by Zoho Corp. The serious vulnerability enables an unauthenticated, remote attacker to launch attacks on affected systems. Zoho has now released a security update addressing the vulnerability.
The vulnerability, first reported by ZDNet, exists in Zoho ManageEngine Desktop Central, an endpoint management tool to help users manage their servers, laptops, smartphones, and more from a central location. Steven Seeley of Source Incite, disclosed the flaw on Twitter, Thursday, along with a proof of concept (PoC) exploit. According to ZDNet, the enterprise software development company will release a patch for the flaw on Friday.
“This vulnerability allows remote attackers to execute arbitrary code on affected installations of ManageEngine Desktop Central. Authentication is not required to exploit this vulnerability,” according to Seeley.
According to Seeley, the specific flaw exists within the FileStorage class of the Desktop Central. The FileStorage class is used to store data for reading data to or from a file. The issue results from improper validation of user-supplied data, which can result in deserialization of untrusted data.
Seeley told Threatpost, attacker can leverage this vulnerability to execute code under the context of SYSTEM, giving them “full control of the target machine… basically the worst it gets.”
According to Seeley, who also posted a PoC attack for the flaw on Twitter, the vulnerability ranks 9.8 out of 10.0 on the CVSS scale, making it critical in severity. Nate Warfield, a security researcher with Microsoft, pointed to at least 2,300 Zoho systems potentially exposed online.