CVE-2020-8838

EUVD-2020-29681
An issue was discovered in Zoho ManageEngine AssetExplorer 6.5. During an upgrade of the Windows agent, it does not validate the source and binary downloaded. This allows an attacker on an adjacent network to execute code with NT AUTHORITY/SYSTEM privileges on the agent machines by providing an arbitrary executable via a man-in-the-middle attack.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.4 MEDIUM
ADJACENT_NETWORK
HIGH
HIGH
CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 55%
Affected Products (NVD)
VendorProductVersion
zohocorpmanageengine_assetexplorer
6.5
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://packetstormsecurity.com/files/157612/ManageEngine-Asset-Explorer-Windows-Agent-Remote-Code-Execution.html
http://seclists.org/fulldisclosure/2020/May/29
https://www.manageengine.com/products/asset-explorer/sp-readme.html
http://packetstormsecurity.com/files/157612/ManageEngine-Asset-Explorer-Windows-Agent-Remote-Code-Execution.html
http://seclists.org/fulldisclosure/2020/May/29
https://www.manageengine.com/products/asset-explorer/sp-readme.html