QID 375931

Date Published: 2021-10-05

QID 375931: Zoho ManageEngine Desktop Central Command Injection Vulnerability

Zoho ManageEngine Desktop Central is an integrated desktop and mobile device management software that helps in managing the servers, laptops, desktops, smart phones and tablets from a central point.

Unauthenticated command injection due to improper handling of input command in Notification Server.

Affected Versions:
Zoho ManageEngine Desktop Central prior to 10.0.683

QID Detection Logic:(Unauthenticated)
This QID sends a GET \configurations.do request to retrieve the build number of the Desktop Central on the remote target.

QID Detection Logic:(Authenticated)
This QID checks for vulnerable version of Desktop Central by checking file "product.conf", the location of file is retrieved by registry values.

Successful exploitation of this vulnerability may allow an unauthenticated attacker to execute arbitrary commands on the target system.

  • CVSS V3 rated as Critical - 9.8 severity.
  • CVSS V2 rated as High - 7.5 severity.
    • Solution
    Customers are advised to install ManageEngine Desktop Central 10.0.683 or later version to remediate this vulnerability.
    Vendor References

    CVEs related to QID 375931

    CVE-2021-28960 |
    Software Advisories
    Advisory ID Software Component Link
    ManageEngine Desktop Central 10.0.683 or later URL Logo www.manageengine.com/products/desktop-central/unauthenticated-command-injection-vulnerability.html
    By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].