CVE-2020-10189

CVE Database · CVE-2020-10189

CVE-2020-10189

· CRITICALAnalyzed

CVSS v3.1

9.8

EPSS

99.94%

Published

Mar 6, 2020

Modified

Nov 7, 2025

CISA Known Exploited Vulnerability

Added: 2021-11-03 · Due: 2022-05-03

Apply updates per vendor instructions.

Public PoC / Exploit (4)

All weaponized →

Exploit-DBManageEngine Desktop Central - Java Deserialization (Metasploit)NucleiNuclei detection template TrickestTrickest PoC index GitHub PoCzavke/CVE-2020-10189-ManageEngine★3

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-502CWE-502

Affected Products (1)

zohocorp · manageengine_desktop_central (up to 10.0.479)vulnerable

References (13)

http://packetstormsecurity.com/files/156730/ManageEngine-Desktop-Central-Java-Deserialization.html

ExploitThird Party AdvisoryVDB Entry

https://cwe.mitre.org/data/definitions/502.html

Third Party Advisory

https://srcincite.io/advisories/src-2020-0011/

ExploitThird Party Advisory

https://srcincite.io/pocs/src-2020-0011.py.txt

ExploitThird Party Advisory

https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html

Vendor Advisory

https://www.zdnet.com/article/zoho-zero-day-published-on-twitter/

KEV Catalog EPSS Scores Vendors All CVEs