SRC-2022-0002 : Zoho ManageEngine Desktop Central ChangeAmazonPasswordServlet Elevation of Privilege Vulnerability
ManageEngine Desktop Central and ManageEngine Desktop Central MSP <= 10.1.2138.1 (latest)
This vulnerability allows remote attackers to elevate privileges on affected installations of ManageEngine Desktop Central. Authentication as a low privileged user is required to exploit this vulnerability.
The specific flaw exists within the ChangeAmazonPasswordServlet class. The issue results from a lack of verification on the current password to be changed. An attacker can leverage this vulnerability to reset the administrators password.
Zoho has issued an update to correct this vulnerability. More details can be found at: https://www.manageengine.com/products/desktop-central/privilege-escalation-vulnerability.html
- 2022-01-20 - Discovered and unreported
- 2022-01-21 - Public zero-day release of advisory
- 2022-01-25 - Zoho released a patch and advisory
This vulnerability was discovered by Steven Seeley of Source Incite