Skip to main content

Authentication Bypass Vulnerability in Zoho ManageEngine Desktop Central and Desktop Central MSP

Zoho releases critical security update to fix an authentication bypass vulnerability in Zoho ManageEngine Desktop Central and Desktop Central MSP

Threat ID:
CC-4018
Threat Severity:
Information only
Published:
18 January 2022 11:30 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Zoho releases critical security update to fix an authentication bypass vulnerability in Zoho ManageEngine Desktop Central and Desktop Central MSP

Threat details

Introduction

Zoho has released a critical security update for a vulnerability, tracked as CVE-2021-44757, in its ManageEngine Desktop Central and ManageEngine Desktop Central MSP products. The vulnerability has been fixed in the 10.1.2137.9 build (released on 17 January 2022).

CVE-2021-44757 is an authentication bypass vulnerability that, if successfully exploited, could allow a remote attacker to read unauthorised data or write an arbitrary zip file to the server.
 

Vulnerable ManageEngine products recently targeted by Advanced Persistent Threat groups

Vulnerable Zoho ManageEngine products have been targeted in recent attacks by Advanced Persistent Threat (APT) groups. Organisations running vulnerable versions of Zoho ManageEngine Desktop Central or Desktop Central MSP are strongly advised to apply the security update immediately.

Remediation advice

Affected organisations should review Zoho's Vulnerability Notification and follow the guidance in the security advisories below to apply the necessary updates.

Remediation steps

Type Step
Patch

CVE-2021-44757 Security Advisory for Desktop Central


https://www.manageengine.com/products/desktop-central/cve-2021-44757.html
Patch

CVE-2021-44757 Security Advisory for Desktop Central MSP


https://www.manageengine.com/desktop-management-msp/cve-2021-44757.html

Last edited: 18 January 2022 12:33 pm