From 2-3 December 2021, advisories were issued on threat actors taking advantage of two critical vulnerabilities in Zoho ManageEngine products. We recommend applying the latest updates for the affected products as soon as possible.
On 3 December 2021, Zoho ManageEngine issued a security advisory on an authentication bypass vulnerability in ManageEngine Desktop Central and Desktop Central MSP installations, noting that threat actors are taking advantage of the flaw.
The critical vulnerability, tracked as CVE-2021-44515, exists due to an error when processing authentication requests. Threat actors could use this flaw to gain unauthorized access to the product by sending a specially crafted request leading to remote code execution.
On 2 December 2021, the US federal government released a cybersecurity advisory reporting on active exploitation of a critical vulnerability tracked as CVE-2021-44077.
Zoho ManageEngine released an update for this vulnerability on 16 September 2021. According to their September advisory, the flaw affects all Zoho ManageEngine ServiceDesk Plus versions up to, and including, version 11305.
Threat actors could use this flaw to “upload executable files and place web shells to enable post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files”.
This vulnerability does not affect ServiceDesk Plus Cloud versions.
We recommend applying the latest updates for the aforementioned products as soon as possible, following Zoho’s guidance.
If external access to this service is not required, prevent access to these products from the internet to reduce the risk.