CVE-2020-15588

Vulnerability

An integer overflow vulnerability exists in the client-side HTTP handling of Zoho ManageEngine Desktop Central version 10.0.552.W. The overflow occurs in the InternetSendRequestEx and InternetSendRequestByBitrate functions when processing crafted header values, leading to a heap-based buffer overflow [1]. The affected component is the agent that communicates with the server. This issue is only reachable when the agent initiates untrusted communication with a server; in cloud deployments, the agent always connects to a trusted server and is therefore not affected.

Exploitation

An attacker must control a server that the Desktop Central agent connects to. The agent must be configured to communicate with an untrusted server (e.g., via a malicious endpoint). When the agent sends an HTTP request and receives a crafted response, the integer overflow in header processing can be triggered. No authentication is required on the attacker's part; the agent initiates the connection. The attacker can then exploit the heap overflow to achieve remote code execution.

Impact

Successful exploitation grants the attacker remote code execution with SYSTEM privileges on the affected endpoint. This results in full compromise of the machine, including the ability to install programs, view/change data, and create new accounts.

Mitigation

The vulnerability is fixed in ManageEngine Endpoint Central build 10.0.561 [1]. Users should update to this build or later. Cloud editions of Desktop Central, Patch Manager Plus, and Remote Access Plus are not affected. No workaround is documented. The CVE is not listed in the CISA Known Exploited Vulnerabilities catalog.