CVE-2020-10189

CRITICAL
2020-03-06 [email protected]
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Mar 26, 2026 - 11:19 vuln.today
Added to CISA KEV
Nov 07, 2025 - 19:33 cisa
CISA KEV
PoC Detected
Nov 07, 2025 - 19:33 vuln.today
Public exploit code
CVE Published
Mar 06, 2020 - 17:15 nvd
CRITICAL 9.8

Description

Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets.

Analysis

Zoho ManageEngine Desktop Central before 10.0.474 allows unauthenticated remote code execution through Java deserialization in the FileStorage class, exploited by Chinese APT groups for enterprise network compromise.

Technical Context

The CWE-502 deserialization flaw in the getChartImage method of the FileStorage class processes untrusted serialized Java objects. Attackers send crafted requests to /cewolf/ or /mdm/ endpoints containing malicious serialized payloads using Commons Collections gadget chains.

Affected Products

['Zoho ManageEngine Desktop Central before 10.0.474']

Remediation

Update Desktop Central immediately. Audit all managed endpoints for unauthorized software deployed through Desktop Central. Restrict Desktop Central's network access to management networks only.

Priority Score

223
Low Medium High Critical
KEV: +50
EPSS: +94.2
CVSS: +49
POC: +20

Share

CVE-2020-10189 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy