LiveActive security incident?Get immediate response
CVE Record

CVE-2020-10189: Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization o...

Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets.

CriticalCVSS 9.8Known exploitedUpdated
Glexia's TakeAutomated analysiscritical

Security readout for executives and security teams

Plain-English summary

This flaw lets an unauthenticated remote attacker potentially take control of vulnerable Zoho ManageEngine Desktop Central servers. Because Desktop Central manages endpoints, compromise can create broad business impact, including system takeover, lateral movement, and disruption of device management operations.

Executive priority

Immediate action is warranted. This is a critical, unauthenticated remote code execution flaw in endpoint management software and is listed by CISA as known exploited.

Technical view

CVE-2020-10189 is a critical Java deserialization vulnerability in ManageEngine Desktop Central before 10.0.474. The issue involves untrusted data deserialization in getChartImage in FileStorage, related to CewolfServlet and MDMLogUploaderServlet. CVSS is 9.8, with network access, no authentication, and no user interaction required.

Likely exposure

Organizations running ManageEngine Desktop Central versions before 10.0.474 are the stated exposed population. Internet-facing management servers are especially concerning, but internal-only deployments still matter because the product manages many endpoints.

Exploitation context

CISA KEV lists CVE-2020-10189 as known exploited. Public reporting and advisories also describe zero-day disclosure and public exploit material. Treat unpatched systems as high-priority compromise candidates, not merely theoretical exposure.

Researcher notes

Focus validation on version evidence, exposed Desktop Central services, and historical compromise review. The source bundle names vulnerable components and CWE-502, but avoid relying on public exploit material for validation in production.

Mitigation direction

  • Upgrade ManageEngine Desktop Central to 10.0.474 or later per vendor guidance.
  • Check ManageEngine’s advisory for any newer remediation instructions.
  • Restrict network access to Desktop Central management interfaces.
  • Review logs for suspicious activity before and after remediation.
  • Prioritize incident response if vulnerable versions were internet-exposed.

Validation and detection

  • Inventory all ManageEngine Desktop Central instances and versions.
  • Confirm no instance is running below version 10.0.474.
  • Verify exposed management interfaces are not broadly reachable.
  • Review authentication, servlet, and upload-related logs for anomalies.
  • Check CISA KEV tracking for operational remediation deadlines.
Prepared
Confidence
high
Sources
6

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · medium confidence lookup

CWE-502: Code execution behavior lookup

Code execution and unsafe deserialization weaknesses often justify reviewing execution behavior and process telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Execution behavior lookup

The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2020-10189 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Critical
CVSS
9.8 (3.0)
Known Exploited
Yes
Published

Vector: CVSS:3.0/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:U/UI:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
7Source links

CISA KEV status

Status
Known exploited
Source
CISA / ADP
Date added
Not provided

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
9.8CVSS 3.0CriticalCVSS:3.0/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:U/UI:N3.95.9Primary CVE score

Vulnerability scoring details

Base CVSS 3.0 score

9.8Critical
CVSS 3.0 vector shape for CVE-2020-10189Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.0/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:U/UI:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/an/an/aListed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-502 · source CWE mapping

Deserialization of Untrusted Data

Deserialization of Untrusted Data represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.