CVE-2020-27995: Zoho ManageEngine RCE
Virsec Security Research Lab Vulnerability Report
The Virsec Security Research Lab, helmed by Virsec CTO, Satya Gupta, provides timely, relevant analysis about prevalent security vulnerabilities.
1.1 Vulnerability Summary
SQL Injection in Zoho ManageEngine Applications Manager 14 before 14560 allows an attacker to execute commands on the server via the MyPage.do template_resid parameter.
Watch the video to learn more about this and other important vulnerabilities.
1.2 CVSS Score
The CVSS Base Score is 9.8 (Critical)
1.3 Affected Version
ManageEngine Applications Manager 14 before 14560.
1.4 Vulnerability Attribution
Anonymous
1.5 Risk Impact
ManageEngine, a division of Zoho Corporation makes enterprise IT management software for IT administrators and IT managers working in small, medium, and large enterprises. 38% of the large companies use Manage Engine for their IT management.
Any exploit of this vulnerabilities could lead to exposure of all sensitive data that resides in the database, including all employee sensitive information. A publicly available exploit for this vulnerability exists.
1.6 Virsec Security Platform (VSP) Support:
Virsec security platform (VSP)-Web capability can detect such a SQL injection attack and prevent this attack from being exploited.
1.7 Reference Links:
Download the full vulnerability report to learn more about this and other important vulnerabilities.
The post CVE-2020-27995: Zoho ManageEngine RCE appeared first on Virsec Systems.
*** This is a Security Bloggers Network syndicated blog from Blog – Virsec Systems authored by Satya Gupta. Read the original post at: https://virsec.com/cve-2020-27995-zoho-manageengine-rce/
