Vulnerability CVE-2020-8838


Published: 2020-03-23

Description:
An issue was discovered in Zoho ManageEngine AssetExplorer 6.5. During an upgrade of the Windows agent, it does not validate the source and binary downloaded. This allows an attacker on an adjacent network to execute code with NT AUTHORITY/SYSTEM privileges on the agent machines by providing an arbitrary executable via a man-in-the-middle attack.

Type:

CWE-354

(Improper Validation of Integrity Check Value)

CVSS2 => (AV:A/AC:M/Au:S/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.9/10
6.4/10
4.4/10
Exploit range
Attack complexity
Authentication
Adjacent network
Medium
Single time
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Zohocorp -> Manageengine assetexplorer 

 References:
https://www.manageengine.com/products/asset-explorer/sp-readme.html

Copyright 2021, cxsecurity.com

 

Back to Top