CVE-2020-28050

Vulnerability

In Zoho ManageEngine Desktop Central builds prior to 10.0.647, the authentication mechanism between agents and the server used a single shared token per instance rather than unique credentials per agent ([1], [2]). This flaw allowed any agent possessing the global token to communicate with the server as if it were any other agent, without proper individual authentication.

Exploitation

An attacker who controls or compromises any agent enrolled in a Desktop Central instance can leverage the shared token to impersonate other agents. No additional authentication or user interaction is required beyond having access to the token from an existing agent. The attacker can then send arbitrary data to the server under the identity of another agent.

Impact

Successful exploitation enables the attacker to submit unauthorized agent data to the server, potentially leading to improper authorization handling. This could result in data corruption, privilege escalation, or further compromise of the managed endpoints, depending on the server's trust in agent data.

Mitigation

The vulnerability is fixed in Desktop Central build 10.0.647 (also known as Endpoint Central build 100647) ([1], [2]). Customers must upgrade to this build or later and then enable Client Certificate Authentication via Admin > Security and Privacy > Security Settings > Enable Client Certificate Authentication. This vulnerability is not applicable to cloud editions of the product.