CVE-2021-44077

critical

Description

Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration.

References

https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-336a

https://www.tenable.com/cyber-exposure/tenable-2022-threat-landscape-report

https://www.tenable.com/blog/cve-2022-47523-manageengine-password-manager-pro-pam360-and-access-manager-plus-sql-injection

https://www.tenable.com/blog/cve-2021-44515-zoho-patches-manageengine-zero-day-exploited-in-the-wild

https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-supportcenter-plus-versions-11012-and-11013

https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-servicedesk-plus-versions-up-to-11305-22-11-2021

https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-servicedesk-plus-msp-versions-10527-till-10529

https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-authentication-bypass-vulnerability-in-servicedesk-plus-versions-11138-and-above

http://packetstormsecurity.com/files/165400/ManageEngine-ServiceDesk-Plus-Remote-Code-Execution.html

Details

Source: Mitre, NVD

Published: 2021-11-29

Updated: 2023-08-08

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical