Unauthenticated RCE in Zoho ManageEngine Desktop Central getChartImage
CVE-2020-10189 is an unauthenticated remote code execution vulnerability in Zoho ManageEngine Desktop Central caused by deserialization of untrusted data in the getChartImage functionality of the FileStorage class. The issue is associated with the CewolfServlet and MDMLogUploaderServlet servlets. A remote attacker can supply crafted serialized data to the vulnerable code path and trigger unsafe deserialization on the server. The vulnerability affects Desktop Central before 10.0.474, with reporting in the provided content also stating build 10.0.473 and below are affected. Successful exploitation results in arbitrary code execution on the target server.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
This repository contains a single Python exploit script (src-2020-0011.py) targeting CVE-2020-10189, a critical unauthenticated remote code execution vulnerability in ManageEngine Desktop Central. The exploit leverages a deserialization flaw in the CewolfServlet's FileStorage mechanism, allowing an attacker to upload a malicious serialized Java object via a directory traversal vulnerability in the mdmLogUploader endpoint. The payload is then triggered by accessing the /cewolf/ servlet with a crafted parameter, resulting in arbitrary command execution as SYSTEM/root. The script requires the attacker to specify the target host and the command to execute. The exploit is operational and demonstrates a full attack chain, including payload generation, file upload, and execution trigger. The main network endpoints involved are the mdmLogUploader and cewolf servlets, both accessible over HTTPS on port 8383. The repository is well-documented, with in-depth technical analysis and clear usage instructions.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
19 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Zoho ManageEngine vulnerability listed as an example of an internet-facing flaw implicated in ransomware incidents (2020–2022) and recommended for defenders to check and mitigate.
A Zoho ManageEngine vulnerability listed as one of the observed vulnerabilities used in campaigns between 2020 and 2022.
A previously known vulnerability referenced by the author for comparison/context only; no substantive technical discussion is provided in this content.
A remote code execution vulnerability in Zoho ManageEngine Desktop Central's getChartImage functionality referenced as an IPS detection associated with APT41-related coverage.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.