Since @zoho typically ignores researchers, I figured it was OK to share a ManageEngine Desktop Central zero-day exploit with everyone. UnCVE'ed, unpatched and unauthenticated RCE as SYSTEM/root. Enjoy!
Advisory: https://srcincite.io/advisories/src-2020-0011/ …
Exploit: https://srcincite.io/pocs/src-2020-0011.py.txt …
-
-
Zoho should say that somewhere on their website if that’s the only way they respond to outside security research. Researchers shouldn’t have the burden of seeking out whatever channel the vendor is willing to use to take a report seriously. The channel for reporting should be obv
-
https://www.google.com/search?q=zoho+report+vulnerability … finds me: https://bugbounty.zoho.com/bb/info Which as far as I can tell is a way for a researcher to report a vulnerability to Zoho. Not much burden. I don't get the impression that this was a case of an unresponsive vendor. I don't think the vendor was notified.
- 7 more replies
New conversation -
-
-
It appears he was interested. The uninterested ones are quite clearly Zoho.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.