CVE-2020-15588: Integer Overflow
First published: Wed Jul 29 2020(Updated: )
An issue was discovered in the client side of Zoho ManageEngine Desktop Central 10.0.552.W. An attacker-controlled server can trigger an integer overflow in InternetSendRequestEx and InternetSendRequestByBitrate that leads to a heap-based buffer overflow and Remote Code Execution with SYSTEM privileges. This issue will occur only when untrusted communication is initiated with server. In cloud, Agent will always connect with trusted communication.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Zohocorp Manageengine Desktop Central | <10.0.561 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2020-15588?
CVE-2020-15588 is a vulnerability in Zoho ManageEngine Desktop Central 10.0.552.W that allows an attacker-controlled server to trigger an integer overflow, leading to a heap-based buffer overflow and remote code execution with SYSTEM privileges.
How severe is CVE-2020-15588?
CVE-2020-15588 has a severity keyword of 'critical' and a severity value of 9.8, indicating a highly critical vulnerability.
Which software versions are affected by CVE-2020-15588?
Versions up to and exclusive of 10.0.561 of Zoho ManageEngine Desktop Central are affected by CVE-2020-15588.
How can an attacker exploit CVE-2020-15588?
An attacker can exploit CVE-2020-15588 by controlling a server and triggering an integer overflow in InternetSendRequestEx and InternetSendRequestByBitrate, leading to a heap-based buffer overflow and remote code execution.
Is there a patch available for CVE-2020-15588?
It is recommended to update to version 10.0.561 or later of Zoho ManageEngine Desktop Central to mitigate CVE-2020-15588.
- collector/nvd-index
- vendor/zohocorp
- product/manageengine desktop central
- canonical/zohocorp manageengine desktop central