CVE-2019-20474

Vulnerability

An authorization bypass vulnerability exists in Zoho ManageEngine Remote Access Plus version 10.0.447. The service endpoint used to test mail-server configuration does not properly enforce access controls, allowing users with the Guest role (read-only access) to reach and abuse the function. This enables a Server-Side Request Forgery (SSRF) condition against the localhost or other hosts on the same network segment [1][2].

Exploitation

An attacker needs only a valid Guest-level account on the Remote Access Plus server. No elevated privileges are required. By sending crafted requests to the vulnerable mail-server test functionality, the attacker can force the server to initiate connections to arbitrary internal IP addresses and ports, effectively performing network and port scans on localhost or adjacent hosts [1][2].

Impact

Successful exploitation allows an attacker with read-only Guest privileges to perform internal network reconnaissance via SSRF. The attacker can enumerate live hosts and open ports on the local network, potentially discovering other vulnerable services. While the vulnerability does not directly lead to arbitrary code execution or data exfiltration, it lowers the barrier for further lateral movement [1][2].

Mitigation

The vulnerability is fixed in Remote Access Plus build 100450, released on 24 January 2020 for on-premises deployments. For cloud deployments, the fix was released on 29 September 2020. Administrators should update to the latest build available on the ManageEngine service packs page. No workarounds have been documented [2].