The IT help desk ManageEngine software made by Zoho Corp has been compromised by a zero-day vulnerability that enables unauthenticated access to systems, allowing a remote attacker to launch attacks. Zoho has since released an update that addresses the vulnerability after it was discovered by Steven Seeley of Source Incite on Thursday. Seeley published information about the flaw on Twitter, along with a proof of concept exploit.
Zoho announced that they plan to release a patch for the flaw on Friday. The flaw exists specifically within the FileStorage function of the Desktop cental, which is used to store data for reading data to or from a file. The vulnerability within this function can result in the deserialization of untrusted data, which effectively gives attackers full control of the target machine.
Read More: Critical Zoho Zero-Day Flaw Disclosed