CVE-2018-5337

Vulnerability

An issue was discovered in Zoho ManageEngine Desktop Central versions 10.0.124 and 10.0.184 [1]. The vulnerability is a directory traversal in the SCRIPT_NAME field when modifying existing scripts [1]. This allows an unauthenticated attacker to access files outside the intended script directory [1].

Exploitation

Exploitation requires no authentication; the attacker can send a crafted HTTP request to the Desktop Central server with a malicious SCRIPT_NAME parameter containing path traversal sequences (e.g., ../) [1]. The server then processes the request, allowing directory traversal [1].

Impact

Successful exploitation allows an unauthenticated attacker to read arbitrary files on the server, or potentially write arbitrary files if the script modification endpoint also handles file writes [1]. This could lead to information disclosure or remote code execution depending on the files accessed or written [1].

Mitigation

ManageEngine released a fix on 27-March-2018 [1]. Users should update to the latest build available by following the vendor's instructions: log in to the console, check the current build number, and download/apply the appropriate Patch Package Management (PPM) update [1]. No other workarounds are listed for this specific CVE [1].