External risk intelligence

ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability

CVE advisoryKnown Exploit

CVE-2021-44077

Zoho ManageEngine products are affected by a flaw enabling unauthenticated remote code execution. This presents a business risk by allowing unauthorized system control and potential data compromise. Remediation is advised to mitigate these risks.

4Halo Surface Signal

Missing Authentication

Zohocorp Manageengine Servicedesk Plus

before 11.111.111.211.3before 10.510.5

External exposure likelihood

Halo Surface Signal score for CVE-2021-44077

This product is an IT service management and help desk application commonly deployed as a web-accessible portal for end-users and technicians. Such management services are typically hosted on web servers, often exposed to the internet or wide-reaching enterprise networks to facilitate remote support and ticketing, making them a common target for external network-based interaction.

Horizon Alert

Summary of the vulnerability and why it matters

Zoho ManageEngine products, specifically ServiceDesk Plus, ServiceDesk Plus MSP, and SupportCenter Plus, contain a flaw that allows unauthenticated remote code execution. This vulnerability is associated with specific API and configuration elements within the affected applications. The exploitation of this weakness could lead to significant business risk by enabling unauthorized control over vulnerable systems.

Vulnerable Zoho ManageEngine products
Flaw permits unauthenticated code execution
Potential for system compromise and data loss

Attack Path

How an attacker could exploit the issue

The described vulnerability allows for unauthenticated remote code execution. Attackers can exploit this by interacting with specific URLs within the application's servlet. This interaction, specifically related to importing technicians, can lead to the attacker gaining control of the system.

External access to application URLs
Unauthenticated access to specific servlet paths
Triggering technician import results in code execution

Live Threat

Current exploitation, exposure, and threat context

The identified vulnerability presents a significant threat due to its unauthenticated remote code execution capability, allowing attackers to compromise systems. This type of vulnerability could enable attackers to upload malicious files, gain control of systems, move laterally within a network, and exfiltrate sensitive data. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified this vulnerability as actively exploited and included it in its Known Exploited Vulnerabilities Catalog, indicating a high risk and urgency for remediation.

Likely attacker skill level: Any skill level.
Required access or conditions: Unauthenticated network access.
Business risk or urgency: Critical; immediate remediation required.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability allows unauthenticated remote code execution on affected Zoho ManageEngine products. Attackers can exploit this to gain unauthorized access and control over impacted systems. The organization should prioritize remediation to mitigate business risk and protect sensitive data.

Identify all instances of affected products.
Isolate exposed systems or reduce network access.
Apply vendor updates and validate successful installation.

Frequently asked questions

What is Zoho ManageEngine ServiceDesk Plus and what are its related products vulnerable to this security flaw?

Zoho ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP, and SupportCenter Plus are IT service management and help desk software. Versions prior to 11306 for ServiceDesk Plus, 10530 for ServiceDesk Plus MSP, and 11014 for SupportCenter Plus are susceptible to a critical security vulnerability.

What type of weakness does CVE-2021-44077 represent and how is it classified?

CVE-2021-44077 is a CWE-306 weakness, which allows for unauthenticated remote code execution. This means an attacker can execute commands on a vulnerable system without needing any credentials, leading to a CRITICAL severity rating with a base score of 9.8.

How can an attacker trigger unauthenticated remote code execution in these Zoho ManageEngine products?

Attackers can exploit this vulnerability by interacting with specific /RestAPI URLs within a servlet, particularly when the ImportTechnicians function is called within the Struts configuration. This can grant unauthorized system control without any authentication.

What is the relevance of CVE-2021-44077 to cybersecurity and why is immediate action needed?

This vulnerability allows for unauthenticated remote code execution, posing a significant threat by enabling unauthorized system control and potential data exfiltration. The U.S. CISA has added it to its Known Exploited Vulnerabilities Catalog, highlighting its active exploitation and the urgent need for remediation.

What steps should an organization take to address the Zoho ManageEngine ServiceDesk Plus vulnerability?

Organizations should identify all instances of the affected Zoho ManageEngine products, isolate vulnerable systems if possible, and immediately apply vendor-provided updates. Verifying the successful installation of patches is crucial to mitigate the risk of exploitation.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.