Vulnerabilities in Zoho ManageEngine products being actively exploited

Attackers are known to be actively exploiting vulnerabilities in Zoho ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP and SupportCenter Plus

Threat ID:: CC-3985
Threat Severity:: Medium
Threat Vector:: Vulnerability
Published:: 2 December 2021 3:15 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Attackers are known to be actively exploiting vulnerabilities in Zoho ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP and SupportCenter Plus

Affected platforms

The following platforms are known to be affected:

Versions: all prior to 11306

Zoho ManageEngine ServiceDesk Plus

Versions: 10527 and above, prior to 10530

Zoho ManageEngine ServiceDesk Plus MSP

Versions: 11012 and 11013

Zoho ManageEngine SupportCenter Plus

Threat details

Introduction

Two vulnerabilities in Zoho ManageEngine products, tracked as CVE-2021-37415 and CVE-2021-44077, are being actively exploited. CISA has added the vulnerabilities to their Known Exploited Vulnerabilities Catalog and issued a statement warning that the vulnerabilities are frequently targeted as an attack vector.

CVE-2021-37415 is rated critical (CVSS v3 9.8) and is an authentication bypass vulnerability in Zoho ManageEngine ServiceDesk Plus that allows a few REST-API URLs without authentication.

CVE-2021-44077 is rated critical (CVSS v3 9.8) and is a vulnerability in Zoho ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP, and SupportCenter Plus. The vulnerability is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration. An unauthorised attacker could exploit this vulnerability for remote code execution.

Remediation advice

Affected organisations are encouraged to review Zoho ManageEngine's security advisories (below) and apply the necessary updates.

Remediation steps

Type	Step
Patch	[Security advisory] Authentication bypass vulnerability in ServiceDesk Plus versions 11305 and below https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-authentication-bypass-vulnerability-in-servicedesk-plus-versions-11138-and-above
Patch	[Security advisory for CVE-2021-44077] Unauthenticated RCE vulnerability in ServiceDesk Plus versions up to 11305 https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-servicedesk-plus-versions-up-to-11305-22-11-2021
Patch	[Security advisory for CVE-2021-44077] Unauthenticated RCE vulnerability in ServiceDesk Plus MSP versions 10527 till 10529 https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-servicedesk-plus-msp-versions-10527-till-10529
	[Security advisory for CVE-2021-44077] Unauthenticated RCE vulnerability in SupportCenter Plus versions 11012 and 11013 https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-supportcenter-plus-versions-11012-and-11013

Definitive source of threat updates

https://us-cert.cisa.gov/ncas/current-activity/2021/12/01/cisa-adds-five-known-exploited-vulnerabilities-catalog

CVE Vulnerabilities

Status Published

CVE-2021-37415

Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication.

Status Published

CVE-2021-44077

Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration.

Last edited: 3 December 2021 2:21 pm