ALL RESEARCH
    DISCLOSURE/1 January 2024/HIGH

    Zoho Desk — Vulnerability Disclosure

    Atumcell-discovered weakness in Zoho's Desk help-desk product, disclosed to the vendor and reported alongside the MoveIt Transfer finding.

    AFFECTED

    Zoho (Zoho Desk)

    SEVERITY

    High

    SUMMARY

    Atumcell research surfaced a security weakness in Zoho's Desk product — a widely deployed help-desk and customer-support platform. Disclosure was coordinated with Zoho, and the finding was covered in the trade press alongside the related MoveIt Transfer disclosure.

    DETAIL

    Help-desk and customer-support platforms increasingly sit in the same operational tier as identity and email infrastructure: they hold customer-confidential records, internal-process metadata, and frequently inherited authentication paths to other systems. Zoho Desk is widely deployed in mid-market and SMB segments where assurance investment lags the product's effective access scope.

    [TODO(matthew): Replace this paragraph with the specific finding — the affected component, the failure mode, the conditions required for exploitation, and the data categories at risk. Add the CVE ID to the metadata above if one was assigned.]

    The finding was disclosed to Zoho through their coordinated disclosure process. Channel Futures reported the disclosure in December 2024. The pattern this finding reinforces — assurance work that stops at the boundary of "core IT" and treats SaaS support tooling as out-of-scope — is one of the more common gaps surfaced in mid-market technical due diligence.

    REFERENCES

    Need this kind of research for your organisation?

    Atumcell runs targeted vulnerability research, OT/ICS assessments, and adversary simulation for organisations where the consequences of compromise are categorically different from IT.

    STRATEGIC CONSULTATION

    Discuss a research scope

    $500·30 minutes

    MORE ON THESE TOPICS

    IR & DISCLOSURE

    Or learn more about full advisory engagements.

    OTHER.RESEARCH

    DISCLOSURE

    Progress MoveIt Transfer — Vulnerability Disclosure

    Atumcell-discovered weakness in Progress Software's MoveIt Transfer file-transfer product, coordinated with the vendor and publicly disclosed.

    RESEARCH

    N-able Workgroup Guideline — Security Risk to MSPs

    Research finding that N-able's published workgroup guideline created a meaningful exposure for managed service providers and their downstream clients.

    RESEARCH

    Physically Hacking SCADA — Cyber-Physical Attack Chains

    Research on cyber-physical attack chains against SCADA systems, demonstrating how digital compromises produce physical-layer effects.