CVE-2024-2370 (CVSS 9.8): Critical Flaw in ManageEngine Desktop Central Poses Major Security Risk

Organizations using a widely deployed enterprise management solution are facing a serious security threat. A critical vulnerability (CVE-2024-2370, CVSS 9.8) has been discovered in older versions of ManageEngine Desktop Central, developed by Zoho Corporation.

Security researchers at INCIBE, Spain’s National Cybersecurity Institute, coordinated the disclosure of this vulnerability, initially reported by Rafael Pedero. This flaw makes it possible for a remote attacker to upload malicious files to a vulnerable system without needing any login credentials.

The Risk

This vulnerability poses a substantial risk due to Desktop Central’s purpose and reach. As a Unified Endpoint Management (UEM) solution, it has deep access to a network’s PCs, servers, and mobile devices. Successful exploitation of this flaw could allow attackers to:

• Deploy malware or ransomware across an entire network
• Steal sensitive data
• Disrupt critical business operations

Affected Versions

The CVE-2024-2370 vulnerability specifically exists in ManageEngine Desktop Central version 9, build 90055. Crucially, this version is more than five years old, highlighting the dangers of running outdated software.

Mitigation

Zoho has addressed this vulnerability in newer versions of Desktop Central (now referred to as Endpoint Central). Organizations using this software are urged to take immediate action:

1. Identify: Determine if any systems are still running the affected version of Desktop Central.
2. Update: Upgrade affected systems to the latest secure version as soon as possible.

Call to Action

This incident shines a spotlight on the importance of timely software updates. Neglecting to patch known vulnerabilities leaves organizations open to attack, even years after the fixes have been released.