Pat0Is

**Name of the Vulnerable Software and Affected Versions** Zoho ManageEngine Desktop Central versions 10.0.552.W and earlier Zoho ManageEngine Remote Access Plus versions prior to 10.1.2119.1 **Description** A design issue in the client side of the software allows an attacker-controlled server to force the client to skip TLS certificate validation. This can lead to a man-in-the-middle attack against HTTPS and potentially result in unauthenticated remote code execution. **Recommendations** For Zoho ManageEngine Desktop Central version 10.0.552.W, update to a version later than 10.0.552.W. For Zoho ManageEngine Remote Access Plus versions prior to 10.1.2119.1, update to version 10.1.2119.1 or later.

**Name of the Vulnerable Software and Affected Versions** Zoho ManageEngine Desktop Central version 10.0.0.SP-534 **Description** An issue in the client side of the software allows an attacker-controlled server to trigger an integer overflow in `InternetSendRequestEx` and `InternetSendRequestByBitrate` functions, leading to a heap-based buffer overflow and Remote Code Execution with SYSTEM privileges. **Recommendations** For Zoho ManageEngine Desktop Central version 10.0.0.SP-534, consider disabling the `InternetSendRequestEx` and `InternetSendRequestByBitrate` functions as a temporary workaround until a patch is available. Restrict access to the client side of the software to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Zoho ManageEngine Desktop Central version 10.0.552.W **Description** An issue in the client side of the software allows an attacker-controlled server to trigger an integer overflow in `InternetSendRequestEx` and `InternetSendRequestByBitrate`, leading to a heap-based buffer overflow and Remote Code Execution with SYSTEM privileges. This occurs when untrusted communication is initiated with a server. **Recommendations** For Zoho ManageEngine Desktop Central version 10.0.552.W, consider restricting untrusted communication with servers to minimize the risk of exploitation. As a temporary workaround, ensure that agents only connect with trusted communication. At the moment, there is no information about a newer version that contains a fix for this vulnerability.