CVE-2020-24786: An issue was discovered in Zoho ManageEngine Exchange Reporter Plus before build number 5510, AD360 before build number 4228, ADSelfService Plus befor...

Description

An issue was discovered in Zoho ManageEngine Exchange Reporter Plus before build number 5510, AD360 before build number 4228, ADSelfService Plus before build number 5817, DataSecurity Plus before build number 6033, RecoverManager Plus before build number 6017, EventLog Analyzer before build number 12136, ADAudit Plus before build number 6052, O365 Manager Plus before build number 4334, Cloud Security Plus before build number 4110, ADManager Plus before build number 7055, and Log360 before build number 5166. The remotely accessible Java servlet com.manageengine.ads.fw.servlet.UpdateProductDetails is prone to an authentication bypass. System integration properties can be modified and lead to full ManageEngine suite compromise.

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

12.82%

95.8th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-287

Affected Software

Vendor	Product	Versions	Update
Zohocorp	Manageengine Adselfservice Plus	<= 5.7	—
Zohocorp	Manageengine Adselfservice Plus	5.8	—
Zohocorp	Manageengine Exchange Reporter Plus	<= 5.4	—
Zohocorp	Manageengine Exchange Reporter Plus	5.5	5500
Zohocorp	Manageengine Ad360	<= 4.1	—
Zohocorp	Manageengine Ad360	4.2	4200
Zohocorp	Manageengine Datasecurity Plus	<= 5.0	—
Zohocorp	Manageengine Datasecurity Plus	6.0	6000
Zohocorp	Manageengine Recovermanager Plus	<= 5.4	—
Zohocorp	Manageengine Recovermanager Plus	6.0	6001
Zohocorp	Manageengine Eventlog Analyzer	<= 12.1.2	—
Zohocorp	Manageengine Eventlog Analyzer	12.1.3	12130
Zohocorp	Manageengine Adaudit Plus	<= 5.1	—
Zohocorp	Manageengine Adaudit Plus	6.0	6000
Zohocorp	Manageengine O365 Manager Plus	<= 4.2	—
Zohocorp	Manageengine O365 Manager Plus	4.3	4300
Zohocorp	Manageengine Cloud Security Plus	<= 4.0	—
Zohocorp	Manageengine Cloud Security Plus	4.1	4100
Zohocorp	Manageengine Admanager Plus	<= 6.6	—
Zohocorp	Manageengine Admanager Plus	7.0	7000
Zohocorp	Manageengine Log360	<= 5.0	—
Zohocorp	Manageengine Log360	5.1	5100

References

Timeline

Published: Aug 31, 2020
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2020-24786?

An issue was discovered in Zoho ManageEngine Exchange Reporter Plus before build number 5510, AD360 before build number 4228, ADSelfService Plus before build number 5817, DataSecurity Plus before build number 6033, RecoverManager Plus before build number 6017, EventLog Analyzer before build number 12136, ADAudit Plus before build number 6052, O365 Manager Plus before build number 4334, Cloud Security Plus before build number 4110, ADManager Plus before build number 7055, and Log360 before build number 5166. The remotely accessible Java servlet com.manageengine.ads.fw.servlet.UpdateProductDetails is prone to an authentication bypass. System integration properties can be modified and lead to full ManageEngine suite compromise.

How severe is CVE-2020-24786?

CVE-2020-24786 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 12.82% probability of exploitation in the next 30 days.

How do I fix CVE-2020-24786?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.