CVE-2020-15589

Vulnerability

The vulnerability resides in the GetInternetRequestHandle, InternetSendRequestEx, and InternetSendRequestByBitrate functions in the client-side agent of Zoho ManageEngine Desktop Central build 10.0.552.W and Remote Access Plus before 10.1.2119.1 [1][2]. The agent fails to validate TLS certificate presented by the server during communication, allowing an attacker in a privileged network position to impersonate the legitimate management server.

Exploitation

The attacker must be on the same network segment as the agent and be able to spoof DNS responses for the legitimate server hostname [2]. No prior authentication is required. The attacker sets up a malicious server with a self-signed certificate; when the agent attempts to contact the real server, the attacker intercepts the connection using DNS spoofing and presents the self-signed certificate, which the agent accepts without verification. The attacker can then serve custom payloads or commands to the agent.

Impact

Successful exploitation allows a man-in-the-middle attacker to fully compromise the endpoint by executing arbitrary code in the context of the agent process — typically SYSTEM on Windows — leading to complete confidentiality, integrity, and availability loss for the affected system [1][2]. No privileged access or user interaction beyond the initial network compromise is needed.

Mitigation

ManageEngine released Endpoint Central build 100646 (Desktop Central build 10.1.2119.1) to address this vulnerability [2]. Administrators must upgrade to this build and follow the steps in the vendor advisory to fully patch the issue. No workaround is documented; upgrading is the only recommended action.