CVE-2020-10917: NEC ESMPRO Manager RMI Deserialization of Untrusted Data Remote Code Execution Vulnerability
First published: Wed Jul 22 2020(Updated: )
This vulnerability allows remote attackers to execute arbitrary code on affected installations of NEC ESMPRO Manager 6.42. Authentication is not required to exploit this vulnerability. The specific flaw exists within the RMI service. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-10007.
Credit: zdi-disclosures@trendmicro.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| NEC ESMPRO Manager | =6.42 | |
| NEC ESMPRO Manager |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2020-10917?
CVE-2020-10917 is a vulnerability that allows remote attackers to execute arbitrary code on affected installations of NEC ESMPRO Manager 6.42.
How severe is CVE-2020-10917?
CVE-2020-10917 has a severity rating of 9.8 out of 10, which is classified as critical.
How does CVE-2020-10917 affect NEC ESMPRO Manager?
CVE-2020-10917 affects installations of NEC ESMPRO Manager 6.42.
Is authentication required to exploit CVE-2020-10917?
No, authentication is not required to exploit CVE-2020-10917.
How do I fix CVE-2020-10917?
To fix CVE-2020-10917, NEC ESMPRO Manager installations should be updated to a version that has addressed the vulnerability.
- collector/nvd-index
- collector/zdi-advisory
- alias/ZDI-20-684
- alias/ZDI-CAN-10007
- alias/CVE-2020-10917
- agent/weakness
- agent/title
- agent/references
- agent/severity
- agent/author
- agent/tags
- agent/type
- agent/description
- agent/event
- agent/last-modified-date
- vendor/nec
- canonical/nec esmpro manager
- version/nec esmpro manager/6.42