CVE-2020-24786
📋 TL;DR
This vulnerability allows unauthenticated attackers to bypass authentication in multiple Zoho ManageEngine products via a Java servlet. Attackers can modify system integration properties, potentially leading to full compromise of the ManageEngine suite. Organizations using affected versions of the listed ManageEngine products are at risk.
💻 Affected Systems
- Zoho ManageEngine Exchange Reporter Plus
- AD360
- ADSelfService Plus
- DataSecurity Plus
- RecoverManager Plus
- EventLog Analyzer
- ADAudit Plus
- O365 Manager Plus
- Cloud Security Plus
- ADManager Plus
- Log360
📦 What is this software?
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Cloud Security Plus by Zohocorp
Manageengine Cloud Security Plus by Zohocorp
Manageengine Cloud Security Plus by Zohocorp
Manageengine Cloud Security Plus by Zohocorp
Manageengine Cloud Security Plus by Zohocorp
Manageengine Cloud Security Plus by Zohocorp
Manageengine Cloud Security Plus by Zohocorp
Manageengine Cloud Security Plus by Zohocorp
Manageengine Cloud Security Plus by Zohocorp
Manageengine Cloud Security Plus by Zohocorp
Manageengine Cloud Security Plus by Zohocorp
Manageengine Exchange Reporter Plus by Zohocorp
View all CVEs affecting Manageengine Exchange Reporter Plus →
Manageengine Exchange Reporter Plus by Zohocorp
View all CVEs affecting Manageengine Exchange Reporter Plus →
Manageengine Exchange Reporter Plus by Zohocorp
View all CVEs affecting Manageengine Exchange Reporter Plus →
Manageengine Exchange Reporter Plus by Zohocorp
View all CVEs affecting Manageengine Exchange Reporter Plus →
Manageengine Exchange Reporter Plus by Zohocorp
View all CVEs affecting Manageengine Exchange Reporter Plus →
Manageengine Exchange Reporter Plus by Zohocorp
View all CVEs affecting Manageengine Exchange Reporter Plus →
Manageengine Recovermanager Plus by Zohocorp
Manageengine Recovermanager Plus by Zohocorp
Manageengine Recovermanager Plus by Zohocorp
Manageengine Recovermanager Plus by Zohocorp
Manageengine Recovermanager Plus by Zohocorp
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of the ManageEngine suite, allowing attackers to gain administrative access, modify configurations, access sensitive data, and potentially pivot to other systems.
Likely Case
Unauthenticated attackers gain administrative privileges to affected ManageEngine products, enabling configuration changes, data exfiltration, and further system compromise.
If Mitigated
If properly patched or network-restricted, the vulnerability is eliminated; with workarounds, risk is reduced but not fully mitigated.
🎯 Exploit Status
Exploitation requires sending crafted HTTP requests to the vulnerable servlet; public details and proof-of-concept are available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Build numbers: Exchange Reporter Plus 5510, AD360 4228, ADSelfService Plus 5817, DataSecurity Plus 6033, RecoverManager Plus 6017, EventLog Analyzer 12136, ADAudit Plus 6052, O365 Manager Plus 4334, Cloud Security Plus 4110, ADManager Plus 7055, Log360 5166
Vendor Advisory: https://pitstop.manageengine.com/portal/en/community/topic/how-to-fix-the-unauthenticated-product-integration-vulnerability
Restart Required: Yes
Instructions:
1. Download and install the latest build for your specific ManageEngine product from the official Zoho website. 2. Apply the patch according to vendor instructions. 3. Restart the ManageEngine service to ensure changes take effect.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict network access to the ManageEngine products to trusted IP addresses only, blocking external and unauthorized internal access.
Use firewall rules (e.g., iptables on Linux or Windows Firewall) to allow only specific IPs to access the ManageEngine service ports.
Servlet Disablement
allDisable or block access to the vulnerable Java servlet com.manageengine.ads.fw.servlet.UpdateProductDetails if possible in your configuration.
Modify web.xml or application configuration to restrict access to the servlet; consult product documentation for specific steps.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate ManageEngine products from untrusted networks.
- Monitor logs and network traffic for unauthorized access attempts to the vulnerable servlet.
🔍 How to Verify
Check if Vulnerable:
Check the build number of your ManageEngine product via the web interface or configuration files and compare with patched versions listed above.Check Version:
Check the product's web interface under 'About' or 'Help' sections, or examine configuration files for version details.Verify Fix Applied:
After patching, verify the build number has been updated to the patched version and test that the servlet no longer allows unauthenticated access.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated HTTP requests to /servlet/UpdateProductDetails or similar paths
- Unusual configuration changes or administrative actions from unexpected IP addresses
Network Indicators:
- HTTP POST requests to the vulnerable servlet endpoint from unauthorized sources
SIEM Query:
Example: source_ip NOT IN trusted_ips AND uri_path CONTAINS 'UpdateProductDetails' AND http_method = 'POST'🔗 References
- https://medium.com/%40frycos/another-zoho-manageengine-story-7b472f1515f5
- https://pitstop.manageengine.com/portal/en/community/topic/admanager-plus-fixes-and-enhancements
- https://pitstop.manageengine.com/portal/en/community/topic/how-to-fix-the-unauthenticated-product-integration-vulnerability
- https://pitstop.manageengine.com/portal/en/community/topic/how-to-fix-the-unauthenticated-product-integration-vulnerability-17-5-2020
- https://pitstop.manageengine.com/portal/en/community/topic/how-to-fix-the-unauthenticated-product-integration-vulnerability-18-5-2020
- https://pitstop.manageengine.com/portal/en/community/topic/how-to-identify-and-mitigate-the-unauthenticated-product-integration-vulnerability
- https://pitstop.manageengine.com/portal/en/community/topic/how-to-identify-and-mitigate-the-unauthenticated-product-integration-vulnerability-15-5-2020-1
- https://pitstop.manageengine.com/portal/en/community/topic/how-to-identify-and-mitigate-the-unauthenticated-product-integration-vulnerability-18-5-2020
- https://pitstop.manageengine.com/portal/en/kb/articles/manageengine-cloud-security-plus-security-advisory-regarding-unauthenticated-product-integration-vulnerability
- https://pitstop.manageengine.com/portal/en/kb/articles/manageengine-log360-security-advisory-regarding-unauthenticated-product-integration-vulnerability
- https://www.manageengine.com/data-security/release-notes.html
- https://www.manageengine.com/products/eventlog/features-new.html
- https://medium.com/%40frycos/another-zoho-manageengine-story-7b472f1515f5
- https://pitstop.manageengine.com/portal/en/community/topic/admanager-plus-fixes-and-enhancements
- https://pitstop.manageengine.com/portal/en/community/topic/how-to-fix-the-unauthenticated-product-integration-vulnerability
- https://pitstop.manageengine.com/portal/en/community/topic/how-to-fix-the-unauthenticated-product-integration-vulnerability-17-5-2020
- https://pitstop.manageengine.com/portal/en/community/topic/how-to-fix-the-unauthenticated-product-integration-vulnerability-18-5-2020
- https://pitstop.manageengine.com/portal/en/community/topic/how-to-identify-and-mitigate-the-unauthenticated-product-integration-vulnerability
- https://pitstop.manageengine.com/portal/en/community/topic/how-to-identify-and-mitigate-the-unauthenticated-product-integration-vulnerability-15-5-2020-1
- https://pitstop.manageengine.com/portal/en/community/topic/how-to-identify-and-mitigate-the-unauthenticated-product-integration-vulnerability-18-5-2020
- https://pitstop.manageengine.com/portal/en/kb/articles/manageengine-cloud-security-plus-security-advisory-regarding-unauthenticated-product-integration-vulnerability
- https://pitstop.manageengine.com/portal/en/kb/articles/manageengine-log360-security-advisory-regarding-unauthenticated-product-integration-vulnerability
- https://www.manageengine.com/data-security/release-notes.html
- https://www.manageengine.com/products/eventlog/features-new.html
