On March 5th, a functional exploit for an unpatched vulnerability in ManageEngine Desktop Central was published by security researcher Steven Seely. The exploit allows attackers to upload files and remotely run commands with SYSTEM permissions, without any authentication required. Desktop Central is a Zoho product used for endpoint management that Managed Service Providers (MSPs) use frequently. The exploit could allow attackers to gain complete control of servers that are connected to the Internet or move laterally to internal servers from an initial compromise of a workstation. A search on Shodan revealed approximately 2,300 publicly exposed Desktop Central servers that could be targeted.
Analyst Notes
Zoho has announced that a patch is expected later today (March 6th), which should be applied as soon as possible. Until the patch is installed, access to affected Desktop Central servers should be limited using firewall rules to only the IP addresses that need to access them. Endpoint Detection and Response (EDR) software monitoring servers and workstations is an important part of defense to detect any intrusions that may occur as a result of this or other exploits.
For more information, please see: https://www.zdnet.com/article/zoho-zero-day-published-on-twitter/
