CVE-2020-10917 CRITICAL

CVE-2020-10917

Vendor Nec

Product ESMPRO Manager

Weakness CWE-502 · Unsafe deserialization

Published July 22, 2020

Last update August 4, 2024

View on NVD All CVEs

CVSS base score

9.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

This vulnerability allows remote attackers to execute arbitrary code on affected installations of NEC ESMPRO Manager 6.42. Authentication is not required to exploit this vulnerability. The specific flaw exists within the RMI service. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-10007.

Key dates

02Disclosure timeline

July 22, 2020 CVE published

August 4, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2020-10917

Related vulnerabilities

04Related CVE

CVE-2026-27082 WordPress Love Story theme <= 1.3.12 - PHP Object Injection vulnerability CVE-2023-39476 Inductive Automation Ignition JavaSerializationCodec Deserialization of Untrusted Data Remote Code Execution Vulnerability CVE-2024-47886 Chamilo: Post-Auth Remote Code Execution CVE-2026-24954 WordPress WpEvently plugin <= 5.0.8 - Deserialization of untrusted data vulnerability CVE-2025-58592 WordPress TranslatePress Plugin <= 2.10.2 - Deserialization of untrusted data Vulnerability