CVE-2020-8422

Vulnerability

An authorization issue exists in the Credential Manager feature of Zoho ManageEngine Remote Access Plus versions before 10.0.450. Specifically, a user with the Guest role can enumerate all defined credentials for remote machines, retrieving the credential name, credential type, user name, domain/workgroup name, and description. The actual password is not disclosed. Affected versions include up to 10.0.447 [3].

Exploitation

An attacker must have network access to the Remote Access Plus server and a valid Guest account (which may be the default account or obtained through other means). No further authentication or interaction is required. The attacker can simply navigate to the Credential Manager interface or API to list the credential metadata [3].

Impact

Successful exploitation yields sensitive configuration information about remote machine credentials, including usernames and domain associations. This information can be used to facilitate targeted attacks against the managed systems. The confidentiality impact is rated Low (CVSS 4.3) [3].

Mitigation

The vulnerability is fixed in version 10.0.450, released in January 2020. Users should upgrade to this version or later. No workarounds are documented [3].