ManageEngine Desktop Central Policy Bypass Vulnerability

January 9, 2015

Desktop Central is an integrated desktop & mobile device management software that helps in managing the servers, laptops, desktops, smartphones and tablets from a central point.It automates regular desktop management routines like installing patches, distributing software, managing your IT Assets, managing software licenses, monitoring software usage statistics, managing USB device usage, taking control of remote desktops etc.

A policy bypass vulnerability exists in ManageEngine Desktop Central The parameters sent to the page Dcpluginservelet are not validated properly.A remote unauthenticated attacker can create an administrator account by sending a specially crafted request as shown below.This creates a new administrator user "dcpwn" with the password "admin".

Dell SonicWALL Threat Research Team has researched this vulnerability (CVE-2014-7862) and released the following IPS signature to protect their customers.

  • IPS 6180 : ManageEngine Desktop Central Policy Bypass