How to identify and mitigate the unauthenticated product integration vulnerability?

Some versions of RecoveryManager Plus have the unauthenticated change to integriotion system vulnerability (CVE-2020-24786) as reported by Florian Hauser. This article explains how you can identify if your RecoveryManager Plus installation is affected, and fix it. It also offers the mitigation steps to protect your installation in case it is not affected.

What is the issue?

RecoveryManager Plus had a vulnerable endpoint which allowed a user to integrate RecoveryManager Plus with any other supported ManageEngine product, bypassing authentication. This could lead to data leak.

Which version of RecoveryManager Plus is affected?

Users using RecoveryManager Plus versions below 6017.

What is the severity level of the vulnerability?

This is a critical issue. As this vulnerability could be exploited without authentication, from any publicly exposed RecoveryManager Plus installation, the risks posed could be critical.

Is there a fix for this issue?

Update the product to the latest build, 6017 using the service pack.

If you need further information, have any questions, or face any difficulties upgrading the product, please get in touch with us at support@recoverymanagerplus.com, or +1-844-245-1108 (toll free).