CVE-2019-11361

Vulnerability

A privilege escalation vulnerability exists in Zoho ManageEngine Remote Access Plus prior to build 100454 (version 10.0.258). The application fails to properly validate user permissions, allowing an unauthenticated or low-privileged user (e.g., a Guest user) to perform operations that should require administrative privileges [1].

Exploitation

An attacker with network access to the Remote Access Plus web console can exploit this vulnerability by sending crafted requests that impersonate an administrator. No special authentication or user interaction is required beyond having Guest-level access to the application [1].

Impact

Successful exploitation allows an attacker to escalate privileges to that of an administrator, potentially leading to full application takeover, including the ability to execute arbitrary code, access sensitive data, and modify system configurations [1].

Mitigation

The issue is resolved in Remote Access Plus build 100454, released on 17-March-2020. Users should download and apply the latest PPM (Patch Package Manager) from the product's service packs page. The vulnerability does not affect the cloud version of the product [1].