Zoho has released a security patch for a vulnerability (CVE-2020-10189) in ManageEngine Desktop Central, a unified endpoint management platform. Many MSPs (managed IT service providers) leverage Desktop Central to remotely monitor and manage PCs, servers, smartphones and tablets.
The Zoho patch safeguards Desktop Central build 10.0.473 and below. If left unpatched, a remote attacker could exploit the vulnerability to take control of an affected system.
The CISA (Cybersecurity and Infrastructure Security Agency), part of the U.S. Department of Homeland Security (DHS), issued an alert about the patch on March 6.
Hackers frequently target MSP software platforms as a universal doorway into multiple end-customer systems. The DHS and FBI have repeatedly warned MSPs to lock down their own software systems, patch regularly, and implement multi-factor authentication across RMM (remote monitoring and management), remote control and other types of IT management software platforms.