CVE-2018-5341

Vulnerability

Zoho ManageEngine Desktop Central versions 10.0.124 and 10.0.184 are affected by a missing server-side check on the file type or extension when uploading and modifying scripts. The vulnerability allows unauthenticated users to bypass file type restrictions, potentially enabling the upload of arbitrary web executables throughout the network [1].

Exploitation

An unauthenticated attacker can supply a specially crafted file, such as a web executable, during the script upload or modification process. Because the server does not validate the file type or extension, the attacker can place malicious files in locations that are later executed by the server or other clients. The attack requires network access to the Desktop Central console but does not require prior authentication [1].

Impact

Successful exploitation allows an unauthenticated attacker to execute arbitrary web executables across the network, leading to remote code execution (RCE) as a privileged user. This compromises the confidentiality, integrity, and availability of the affected server and potentially all endpoints managed by it [1].

Mitigation

The vulnerability was fixed in a build released on 27-March-2018, as part of a cumulative update provided by Zoho. Administrators should update to the latest build of ManageEngine Desktop Central, available through the console's built-in update mechanism. No workaround is documented; updating is the only recommended mitigation. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1].