Since @zoho typically ignores researchers, I figured it was OK to share a ManageEngine Desktop Central zero-day exploit with everyone. UnCVE'ed, unpatched and unauthenticated RCE as SYSTEM/root. Enjoy!
Advisory: https://srcincite.io/advisories/src-2020-0011/ …
Exploit: https://srcincite.io/pocs/src-2020-0011.py.txt …
-
-
and if they lie and say "we already had a fix for this in the pipeline" every time, is there a mitigation against that?
-
If a vendor told the CERT/CC "we already had a fix for this in the pipeline", that would probably only ensure that we don't give them any leniency in a disclosure timeframe. I don't understand what's to be mitigated. Reporter gets credit from CERT/CC, not a bounty from vendor.
- 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.