Login Sign Up

CVE-2020-9367

7.8 HIGH

📋 TL;DR

This vulnerability allows DLL hijacking in Zoho ManageEngine Desktop Central MSP, enabling attackers to execute arbitrary code with SYSTEM privileges. It affects systems running the vulnerable MPS Agent component. Attackers can escalate privileges by placing a malicious DLL in a location where the application searches for it.

💻 Affected Systems

Products:
  • Zoho ManageEngine Desktop Central MSP
Versions: MSP build 10.0.486 and earlier
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Specifically affects dcinventory.exe and dcconfig.exe components of the MPS Agent.

📦 What is this software?

Manageengine Desktop Central by Zohocorp

View all CVEs affecting Manageengine Desktop Central →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full SYSTEM privilege escalation leading to complete system compromise, data theft, and persistent backdoor installation.

🟠

Likely Case

Local privilege escalation allowing attackers to gain SYSTEM privileges on affected systems.

🟢

If Mitigated

Limited impact with proper file permissions and restricted user access preventing DLL placement.

🌐 Internet-Facing: LOW - Requires local access or ability to place files on target system.
🏢 Internal Only: HIGH - Internal attackers or malware with local access can exploit this for privilege escalation.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires ability to place malicious DLL in application search path. No authentication bypass needed beyond initial access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Build 10.0.487 and later

Vendor Advisory: https://www.manageengine.com/desktop-management-msp/dll-hijacking-vulnerability.html

Restart Required: Yes

Instructions:

1. Download latest version from ManageEngine website. 2. Stop Desktop Central MSP services. 3. Install update. 4. Restart services.

🔧 Temporary Workarounds

Restrict DLL search paths

windows

Set secure DLL search mode to prevent loading from current directory

reg add "HKLM\System\CurrentControlSet\Control\Session Manager" /v SafeDllSearchMode /t REG_DWORD /d 1 /f

Set restrictive file permissions

windows

Prevent unauthorized users from writing to Desktop Central MSP directories

icacls "C:\Program Files\ManageEngine\Desktop Central MSP" /deny Users:(OI)(CI)W

🧯 If You Can't Patch

  • Implement strict file system permissions on Desktop Central MSP directories
  • Monitor for suspicious DLL creation in application directories

🔍 How to Verify

Check if Vulnerable:

Check if Desktop Central MSP version is 10.0.486 or earlier and CSUNSAPI.dll is missing from installation directory

Check Version:

Check Help > About in Desktop Central MSP console or examine version.txt in installation directory

Verify Fix Applied:

Verify version is 10.0.487 or later and CSUNSAPI.dll is present or properly referenced

📡 Detection & Monitoring

Log Indicators:

  • Failed DLL loading attempts
  • Unexpected process creation from dcinventory.exe or dcconfig.exe

Network Indicators:

  • Unusual outbound connections from Desktop Central MSP processes

SIEM Query:

Process Creation where (Image contains 'dcinventory.exe' OR Image contains 'dcconfig.exe') AND CommandLine contains 'CSUNSAPI.dll'

📊 Metadata

CVE ID: CVE-2020-9367
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-427
Published: March 18, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-9367, you might also want to check these:

CVE-2025-4981 9.9

This vulnerability allows authenticated Mattermost users to write files to arbitrary locations on th...

Same vulnerability type (CWE-427)
CVE-2022-24955 9.8

CVE-2022-24955 is a DLL hijacking vulnerability in Foxit PDF software that allows attackers to execu...

Same vulnerability type (CWE-427)
CVE-2023-25143 9.8

This vulnerability in Trend Micro Apex One Server installer allows attackers to execute arbitrary co...

Same vulnerability type (CWE-427)