CVE-2020-15588

An issue was discovered in the client side of Zoho ManageEngine Desktop Central 10.0.552.W. An attacker-controlled server can trigger an integer overflow in InternetSendRequestEx and InternetSendRequestByBitrate that leads to a heap-based buffer overflow and Remote Code Execution with SYSTEM privileges. This issue will occur only when untrusted communication is initiated with server. In cloud, Agent will always connect with trusted communication.

Published: Jul 29, 2020
Updated: Apr 13, 2023
CVE: CVE-2020-15588
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-787
CWE-190

Affected Software
References

Software	From	Fixed in
zohocorp / manageengine_desktop_central	-	10.0.561

https://www.manageengine.com/products/desktop-central/integer-overflow-vulnerability.html

Vulnerability Database

289,697

CVE-2020-15588