PT-2020-14515 · Zoho · Zoho Manageengine Remote Access Plus+1

Pat0Is

Published

2020-10-02

Updated

2021-12-06

CVE-2020-15589

CVSS v3.1

8.1

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Zoho ManageEngine Desktop Central versions 10.0.552.W and earlier Zoho ManageEngine Remote Access Plus versions prior to 10.1.2119.1

Description A design issue in the client side of the software allows an attacker-controlled server to force the client to skip TLS certificate validation. This can lead to a man-in-the-middle attack against HTTPS and potentially result in unauthenticated remote code execution.

Recommendations For Zoho ManageEngine Desktop Central version 10.0.552.W, update to a version later than 10.0.552.W. For Zoho ManageEngine Remote Access Plus versions prior to 10.1.2119.1, update to version 10.1.2119.1 or later.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2020-15589

Affected Products

Zoho Manageengine Desktop Central

Zoho Manageengine Remote Access Plus

PT-2020-14515 · Zoho · Zoho Manageengine Remote Access Plus+1

CVE-2020-15589

Related Identifiers

Affected Products

References · 4