CVE Vulnerability

CVE-2020-8838

An issue was discovered in Zoho ManageEngine AssetExplorer 6.5. During an upgrade of the Windows agent, it does not validate the source and binary downloaded. This allows an attacker on an adjacent network to execute code with NT AUTHORITY/SYSTEM privileges on the agent machines by providing an arbitrary executable via a man-in-the-middle attack.

4.9 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 4.4 / Impact : 6.4

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

Scope

6.4 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 0.5 / Impact : 5.9

Attack Vector ADJACENT_NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://www.manageengine.com/products/asset-explorer/sp-readme.html Release Notes Vendor Advisory
http://seclists.org/fulldisclosure/2020/May/29 Exploit Mailing List
http://packetstormsecurity.com/files/157612/ManageEngine-Asset-Explorer-Windows-Agent-Remote-Code-Execution.html Exploit Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:zohocorp:manageengine_assetexplorer:6.5:*:*:*:*:*:*:*
Information

Published : 2020-03-23 05:15

Updated : 2022-10-07 02:14

NVD link : CVE-2020-8838

Mitre link : CVE-2020-8838

Products Affected

Manageengine Assetexplorer

Zohocorp

CWE
CWE-354