Since @zoho typically ignores researchers, I figured it was OK to share a ManageEngine Desktop Central zero-day exploit with everyone. UnCVE'ed, unpatched and unauthenticated RCE as SYSTEM/root. Enjoy!
Advisory: https://srcincite.io/advisories/src-2020-0011/ …
Exploit: https://srcincite.io/pocs/src-2020-0011.py.txt …
-
-
Well that’s interesting - I wonder why the researchers chose this path instead? Btw, just because a vendor has a bug bounty doesn’t mean they are responsive, but this program looks active and easy to find. Guess we’ll have to see why if the researchers choose to share the reasonspic.twitter.com/jKM481kddS
-
Because it’s a pay to stfu bounty? Also, I have submitted 3 other unauthed rce’s in the past only to have them silently patched, no credit and no payout.
- 5 more replies
New conversation -
-
-
They answered to my previous report (duplicate) in just a few minutes
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.