Heads up, Zoho customers! A zero-day vulnerability exists in Zoho platform that can pose a serious security threat. The disgruntled researcher dropped the bug publicly on Twitter, a patch isn’t available yet.
Reportedly, a security researcher Steven Seeley dropped a Zoho zero-day vulnerability on Twitter. The bug exists in Zoho’s ManageEngine Desktop Central. Exploiting the bug allows a remote attacker to execute arbitrary code.
The researcher disclosed the bug publicly since Zoho did not heed their bug reports.
Elaborating on the vulnerability in a separate advisory, the researcher stated that exploiting the flaw requires no authentication. Whereas, regarding how the flaw affected the system, the advisory reads,
The advisory has deemed the vulnerability as critical with a CVSS score of 9.8. The researcher also shared the PoC exploit for the flaw.
For now, the vulnerability has also received a CVE ID, CVE-2020-10189.
Since the researcher disclosed the vulnerability publicly instead of following a responsible disclosure, no patch is currently available. Hence, at present, the bug poses a threat to all the users.