Security readout for executives and security teams
Plain-English summary
This flaw lets an unauthenticated remote attacker potentially take control of vulnerable Zoho ManageEngine Desktop Central servers. Because Desktop Central manages endpoints, compromise can create broad business impact, including system takeover, lateral movement, and disruption of device management operations.
Executive priority
Immediate action is warranted. This is a critical, unauthenticated remote code execution flaw in endpoint management software and is listed by CISA as known exploited.
Technical view
CVE-2020-10189 is a critical Java deserialization vulnerability in ManageEngine Desktop Central before 10.0.474. The issue involves untrusted data deserialization in getChartImage in FileStorage, related to CewolfServlet and MDMLogUploaderServlet. CVSS is 9.8, with network access, no authentication, and no user interaction required.
Likely exposure
Organizations running ManageEngine Desktop Central versions before 10.0.474 are the stated exposed population. Internet-facing management servers are especially concerning, but internal-only deployments still matter because the product manages many endpoints.
Exploitation context
CISA KEV lists CVE-2020-10189 as known exploited. Public reporting and advisories also describe zero-day disclosure and public exploit material. Treat unpatched systems as high-priority compromise candidates, not merely theoretical exposure.
Researcher notes
Focus validation on version evidence, exposed Desktop Central services, and historical compromise review. The source bundle names vulnerable components and CWE-502, but avoid relying on public exploit material for validation in production.
Mitigation direction
- Upgrade ManageEngine Desktop Central to 10.0.474 or later per vendor guidance.
- Check ManageEngine’s advisory for any newer remediation instructions.
- Restrict network access to Desktop Central management interfaces.
- Review logs for suspicious activity before and after remediation.
- Prioritize incident response if vulnerable versions were internet-exposed.
Validation and detection
- Inventory all ManageEngine Desktop Central instances and versions.
- Confirm no instance is running below version 10.0.474.
- Verify exposed management interfaces are not broadly reachable.
- Review authentication, servlet, and upload-related logs for anomalies.
- Check CISA KEV tracking for operational remediation deadlines.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-502: Code execution behavior lookup
Code execution and unsafe deserialization weaknesses often justify reviewing execution behavior and process telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupExecution behavior lookup
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
Open ATT&CK lookupCVE-2020-10189 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Critical
- CVSS
- 9.8 (3.0)
- Known Exploited
- Yes
- Published
Vector: CVSS:3.0/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:U/UI:N
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CISA KEV status
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:3.0/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:U/UI:N3.95.9Primary CVE scoreVulnerability scoring details
Base CVSS 3.0 score
9.8CriticalVector: CVSS:3.0/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:U/UI:N
Source materials
- CVE List V5 sourceCVE List V5
- https://srcincite.io/advisories/src-2020-0011/CVE reference · x_refsource_MISC
- https://www.zdnet.com/article/zoho-zero-day-published-on-twitter/CVE reference · x_refsource_MISC
- https://srcincite.io/pocs/src-2020-0011.py.txtCVE reference · x_refsource_MISC
- https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.htmlCVE reference · x_refsource_CONFIRM
- https://cwe.mitre.org/data/definitions/502.htmlCVE reference · x_refsource_MISC
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-10189CVE reference · government-resource
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
Deserialization of Untrusted Data
Deserialization of Untrusted Data represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
