eSentire has observed the active exploitation of the recently disclosed zero-day vulnerability in Zoho ManageEngine Desktop Central. The vulnerability was publicly noted on March 5th, 2020, along with proof-of-concept code for exploitation of the vulnerability . If exploited, the vulnerability can result in remote code execution on vulnerable systems which can lead to a variety of malicious outcomes, including data exfiltration and the downloading of additional malicious content.
As active exploitation of this vulnerability is already occurring in the wild, it is highly recommended that organizations deploy the official Zoho security patches to avoid compromise. Zoho has released guidance to assess if exploitation of vulnerable devices has already occurred .
What we’re doing about it
- The security teams at eSentire are proactively working to identify impacted customers
- Known malicious IP addresses associated with the exploitation of this vulnerability have been added to the eSentire Global Blacklist
- Known Indicators of Compromise have been checked against esENDPOINT clients
- Detection methods for esENDPOINT and esNETWORK are being evaluated
What you should do about it
- Update vulnerable systems to ManageEngine Desktop Central version 10.0.479 
- Investigate for signs of previous compromise as outlined in the Zoho article Identification and mitigation of Remote Code Execution vulnerability
The vulnerability resides in Zoho's ManageEngine Desktop Central before 10.0.474 and has been labeled CVE-2020-10189. Remote code execution can be achieved, under the context of SYSTEM, due to the deserialization of untrusted data in getChartImage in the FileStorage class .