Zoho ManageEngine Desktop Central is vulnerable to authentication bypass, leading to remote code execution on the server, as exploited in the wild in December 2021. For Enterprise builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For Enterprise builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3. For MSP builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For MSP builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3.
**Recent assessments:**
**wvu-r7** at January 14, 2022 9:36am UTC reported:
Please see the [Rapid7 analysis](<https://attackerkb.com/topics/rJw4DFI2RQ/cve-2021-44515/rapid7-analysis>).
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 4
{"checkpoint_advisories": [{"lastseen": "2022-03-16T15:30:13", "description": "An authentication bypass vulnerability exists in Zoho ManageEngine Desktop Central. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-16T00:00:00", "type": "checkpoint_advisories", "title": "Zoho ManageEngine Desktop Central Authentication Bypass (CVE-2021-44515)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44515"], "modified": "2022-03-16T00:00:00", "id": "CPAI-2021-1110", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "Zoho Desktop Central contains an authentication bypass vulnerability that could allow an attacker to execute arbitrary code in the Desktop Central MSP server.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-10T00:00:00", "type": "cisa_kev", "title": "Zoho Desktop Central Authentication Bypass Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44515"], "modified": "2021-12-10T00:00:00", "id": "CISA-KEV-CVE-2021-44515", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2021-12-17T18:11:39", "description": "Zoho has released a security advisory to address an authentication bypass vulnerability in ManageEngine Desktop Central and Desktop Central MSP. An attacker could exploit this vulnerability to take control of an affected system. According to Zoho, this vulnerability is being actively exploited in the wild.\n\nCISA encourages users and administrators to review the [Zoho Vulnerability Notification](<https://pitstop.manageengine.com/portal/en/community/topic/an-authentication-bypass-vulnerability-identified-and-fixed-in-desktop-central-and-desktop-central-msp>) and the Zoho [ManageEngine Desktop Central](<https://www.manageengine.com/products/desktop-central/cve-2021-44515-authentication-bypass-filter-configuration.html>) and [ManageEngine Desktop Central MSP](<https://www.manageengine.com/desktop-management-msp/cve-2021-44515-security-advisory.html>) security advisories and apply the recommended mitigations immediately.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/12/06/zoho-releases-security-advisory-manageengine-desktop-central-and>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-06T00:00:00", "type": "cisa", "title": "Zoho Releases Security Advisory for ManageEngine Desktop Central and Desktop Central MSP", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44515"], "modified": "2021-12-06T00:00:00", "id": "CISA:C9AC32BB051B58B7F0F6E0FD2949390C", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/12/06/zoho-releases-security-advisory-manageengine-desktop-central-and", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-26T11:29:50", "description": "CISA has added 13 new vulnerabilities to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.\n\n**CVE Number**\n\n| \n\n**CVE Title**\n\n| \n\n**Remediation Due Date** \n \n---|---|--- \n \n[CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>)\n\n| \n\nApache Log4j2 Remote Code Execution Vulnerability\n\n| \n\n12/24/2021 \n \nCVE-2021-44515\n\n| \n\nZoho Corp. Desktop Central Authentication Bypass Vulnerability\n\n| \n\n12/24/2021 \n \nCVE-2021-44168\n\n| \n\nFortinet FortiOS Arbitrary File Download Vulnerability\n\n| \n\n12/24/2021 \n \n[CVE-2021-35394](<https://nvd.nist.gov/vuln/detail/CVE-2021-35394>)\n\n| \n\nRealtek Jungle SDK Remote Code Execution Vulnerability\n\n| \n\n12/24/2021 \n \n[CVE-2020-8816](<https://nvd.nist.gov/vuln/detail/CVE-2020-8816>)\n\n| \n\nPi-Hole AdminLTE Remote Code Execution Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2020-17463](<https://nvd.nist.gov/vuln/detail/CVE-2020-17463>)\n\n| \n\nFuel CMS SQL Injection Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2019-7238](<https://nvd.nist.gov/vuln/detail/CVE-2019-7238>)\n\n| \n\nSonatype Nexus Repository Manager Incorrect Access Control Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2019-13272](<https://nvd.nist.gov/vuln/detail/cve-2019-13272>)\n\n| \n\nLinux Kernel Improper Privilege Management Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2019-10758](<https://nvd.nist.gov/vuln/detail/CVE-2019-10758>)\n\n| \n\nMongoDB mongo-express Remote Code Execution Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2019-0193](<https://nvd.nist.gov/vuln/detail/CVE-2019-0193>)\n\n| \n\nApache Solr DataImportHandler Code Injection Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2017-17562](<https://nvd.nist.gov/vuln/detail/cve-2017-17562>)\n\n| \n\nEmbedthis GoAhead Remote Code Execution Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2017-12149](<https://nvd.nist.gov/vuln/detail/CVE-2017-12149>)\n\n| \n\nRed Hat Jboss Application Server Remote Code Execution Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2010-1871](<https://nvd.nist.gov/vuln/detail/CVE-2010-1871>)\n\n| \n\nRed Hat Linux JBoss Seam 2 Remote Code Execution Vulnerability\n\n| \n\n6/10/2022 \n \n[Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities](<https://www.cisa.gov/binding-operational-directive-22-01>) established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the [BOD 22-01 Fact Sheet](<https://www.cisa.gov/known-exploited-vulnerabilities>) for more information.\n\nAlthough BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of [Catalog vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the [specified criteria](<https://www.cisa.gov/known-exploited-vulnerabilities>). \n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/12/10/cisa-adds-13-known-exploited-vulnerabilities-catalog>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-10T00:00:00", "type": "cisa", "title": "CISA Adds 13 Known Exploited Vulnerabilities to Catalog", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1871", "CVE-2017-12149", "CVE-2017-17562", "CVE-2019-0193", "CVE-2019-10758", "CVE-2019-13272", "CVE-2019-7238", "CVE-2020-17463", "CVE-2020-8816", "CVE-2021-35394", "CVE-2021-44168", "CVE-2021-44228", "CVE-2021-44515"], "modified": "2022-01-25T00:00:00", "id": "CISA:F3C70D08CAE58CBD29A5E5ED6B2AE473", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/12/10/cisa-adds-13-known-exploited-vulnerabilities-catalog", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-14T18:09:09", "description": "CISA has added thirteen new vulnerabilities to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.\n\n**CVE Number**\n\n| \n\n**CVE Title**\n\n| \n\n**Remediation Due Date** \n \n---|---|--- \n \n[CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>)\n\n| \n\nApache Log4j2 Remote Code Execution Vulnerability\n\n| \n\n12/24/2021 \n \nCVE-2021-44515\n\n| \n\nZoho Corp. Desktop Central Authentication Bypass Vulnerability\n\n| \n\n12/24/2021 \n \nCVE-2021-44168\n\n| \n\nFortinet FortiOS Arbitrary File Download Vulnerability\n\n| \n\n12/24/2021 \n \n[CVE-2021-35394](<https://nvd.nist.gov/vuln/detail/CVE-2021-35394>)\n\n| \n\nRealtek Jungle SDK Remote Code Execution Vulnerability\n\n| \n\n12/24/2021 \n \n[CVE-2020-8816](<https://nvd.nist.gov/vuln/detail/CVE-2020-8816>)\n\n| \n\nPi-Hole AdminLTE Remote Code Execution Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2020-17463](<https://nvd.nist.gov/vuln/detail/CVE-2020-17463>)\n\n| \n\nFuel CMS SQL Injection Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2019-7238](<https://nvd.nist.gov/vuln/detail/CVE-2019-7238>)\n\n| \n\nSonatype Nexus Repository Manager Incorrect Access Control Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2019-13272](<https://nvd.nist.gov/vuln/detail/cve-2019-13272>)\n\n| \n\nLinux Kernel Improper Privilege Management Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2019-10758](<https://nvd.nist.gov/vuln/detail/CVE-2019-10758>)\n\n| \n\nMongoDB mongo-express Remote Code Execution Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2019-0193](<https://nvd.nist.gov/vuln/detail/CVE-2019-0193>)\n\n| \n\nApache Solr DataImportHandler Code Injection Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2017-17562](<https://nvd.nist.gov/vuln/detail/cve-2017-17562>)\n\n| \n\nEmbedthis GoAhead Remote Code Execution Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2017-12149](<https://nvd.nist.gov/vuln/detail/CVE-2017-12149>)\n\n| \n\nRed Hat Jboss Application Server Remote Code Execution Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2010-1871](<https://nvd.nist.gov/vuln/detail/CVE-2010-1871>)\n\n| \n\nRed Hat Linux JBoss Seam 2 Remote Code Execution Vulnerability\n\n| \n\n6/10/2022 \n \n[Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities](<https://cyber.dhs.gov/bod/22-01/>) established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the [BOD 22-01 Fact Sheet](<https://www.cisa.gov/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf>) for more information.\n\nAlthough BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of [Catalog vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the [specified criteria](<https://www.cisa.gov/known-exploited-vulnerabilities>). \n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/12/10/cisa-adds-thirteen-known-exploited-vulnerabilities-catalog>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-10T00:00:00", "type": "cisa", "title": "CISA Adds Thirteen Known Exploited Vulnerabilities to Catalog", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1871", "CVE-2017-12149", "CVE-2017-17562", "CVE-2019-0193", "CVE-2019-10758", "CVE-2019-13272", "CVE-2019-7238", "CVE-2020-17463", "CVE-2020-8816", "CVE-2021-35394", "CVE-2021-44168", "CVE-2021-44228", "CVE-2021-44515"], "modified": "2021-12-10T00:00:00", "id": "CISA:380E63A9EAAD85FA1950A6973017E11B", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/12/10/cisa-adds-thirteen-known-exploited-vulnerabilities-catalog", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "srcincite": [{"lastseen": "2022-02-27T09:44:51", "description": "**Vulnerability Details:**\n\nThis vulnerability allows remote attackers to bypass authentication on affected installations of ManageEngine Desktop Central. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the StateFilter class. The issue results from an arbitrary forward during request handling. An attacker can leverage this vulnerability to bypass authentication on the system and reset the administrators password.\n\n**Affected Vendors:**\n\nZoho\n\n**Affected Products:**\n\nManageEngine Desktop Central and ManageEngine Desktop Central MSP <= 10.1.2137.2\n\n**Vendor Response:**\n\nZoho has issued an update to correct this vulnerability. More details can be found at: <https://www.manageengine.com/products/desktop-central/cve-2021-44515-authentication-bypass-filter-configuration.html>\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-12-12T00:00:00", "type": "srcincite", "title": "SRC-2022-0001 : Zoho ManageEngine Desktop Central StateFilter Arbitrary Forward Authentication Bypass Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44515"], "modified": "2022-01-21T00:00:00", "id": "SRC-2022-0001", "href": "https://srcincite.io/advisories/src-2022-0001/", "sourceData": "curl -kb \"STATE_COOKIE=&_REQS/_TIME/1337\" \"https://target.tld:8383/STATE_ID/1337/changeDefaultAmazonPassword?loginName=admin&newUserPassword=haxed\" -d \"\"", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": ""}], "cnvd": [{"lastseen": "2022-11-05T07:01:28", "description": "ZOHO ManageEngine Desktop Central MSP is a suite of desktop and mobile device management software for MSPs (managed service providers) from ZOHO. The software enables MSPs to remotely manage desktops, servers, and mobile devices in their customer networks and provides differentiated management services for organizations of all sizes.An authorization issue vulnerability exists in Zoho ManageEngine Desktop Central MSP, which stems from an error in the handling of authentication requests. A remote attacker could exploit this vulnerability to bypass the authentication process and execute arbitrary code on the Desktop Central MSP server.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-09T00:00:00", "type": "cnvd", "title": "Zoho ManageEngine Desktop Central MSP Licensing Issue Vulnerability", "bulletinFamily": "cnvd", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44515"], "modified": "2022-01-20T00:00:00", "id": "CNVD-2022-05446", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2022-05446", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-07-13T18:04:18", "description": "Zoho ManageEngine Desktop Central is vulnerable to authentication bypass, leading to remote code execution on the server, as exploited in the wild in December 2021. For Enterprise builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For Enterprise builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3. For MSP builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For MSP builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-12T05:15:00", "type": "cve", "title": "CVE-2021-44515", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44515"], "modified": "2022-07-12T17:42:00", "cpe": ["cpe:/a:zohocorp:manageengine_desktop_central:10.1.2137.3"], "id": "CVE-2021-44515", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-44515", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:zohocorp:manageengine_desktop_central:10.1.2137.3:*:*:*:enterprise:*:*:*"]}], "nessus": [{"lastseen": "2023-01-11T14:59:26", "description": "The ManageEngine Desktop Central application running on the remote host is prior to 10.1.2127.18, or 10.1.2128.0 prior to 10.1.2137.3. It is, therefore, affected by an authentication bypass vulnerability which can allow an adversary to bypass authentication and execute arbitrary code in the Desktop Central server.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-06T00:00:00", "type": "nessus", "title": "ManageEngine Desktop Central < 10.1.2127.18 / 10.1.2128.0 < 10.1.2137.3 Authentication Bypass (CVE-2021-44515)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44515"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:zohocorp:manageengine_desktop_central"], "id": "MANAGEENGINE_DESKTOP_CENTRAL_10_1_2137_3.NASL", "href": "https://www.tenable.com/plugins/nessus/155865", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155865);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2021-44515\");\n script_xref(name:\"IAVA\", value:\"2021-A-0570-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/24\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0050\");\n\n script_name(english:\"ManageEngine Desktop Central < 10.1.2127.18 / 10.1.2128.0 < 10.1.2137.3 Authentication Bypass (CVE-2021-44515)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a Java-based web application that is affected by an authentication bypass vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The ManageEngine Desktop Central application running on the remote host is prior to 10.1.2127.18, or 10.1.2128.0 prior\nto 10.1.2137.3. It is, therefore, affected by an authentication bypass vulnerability which can allow an adversary to\nbypass authentication and execute arbitrary code in the Desktop Central server.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://www.manageengine.com/products/desktop-central/cve-2021-44515-authentication-bypass-filter-configuration.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fa9e3175\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to ManageEngine Desktop Central 10.1.2127.18 / 10.1.2137.3 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-44515\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/12/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/12/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/12/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:zohocorp:manageengine_desktop_central\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"manageengine_desktop_central_installed.nbin\");\n script_require_keys(\"installed_sw/ManageEngine Desktop Central\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nvar app_info = vcf::get_app_info(app:'ManageEngine Desktop Central', win_local:TRUE);\n\nvar constraints = [\n {'fixed_version':'10.1.2127.18'},\n {'min_version':'10.1.2128.0', 'fixed_version':'10.1.2137.3'}\n];\n\nvcf::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE\n);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2022-01-18T16:16:07", "description": "A critical security vulnerability in the Zoho ManageEngine Desktop Central and Desktop Central MSP platforms could allow authentication bypass, the company has warned.\n\nThe bug (CVE-2021-44757) could allow a remote user to \u201cperform unauthorized actions in the server,\u201d according to the company\u2019s Monday [security advisory](<https://pitstop.manageengine.com/portal/en/community/topic/a-critical-security-patch-released-in-desktop-central-and-desktop-central-msp-for-cve-2021-44757-17-1-2022>). \u201cIf exploited, this vulnerability may allow an attacker to read unauthorized data or write an arbitrary .ZIP file on the server.\u201d\n\nZoho\u2019s ManageEngine Desktop Central is a unified endpoint management (UEM) solution that lets IT admins manage servers, laptops, desktops, smartphones and tablets from a central location. Users can automate routines like installing patches, deploying software, imaging and deploying OS, according to the company\u2019s [documentation.](<https://www.manageengine.com/products/desktop-central/software-installation-supported-executables-how-to.html>) It can also be used to manage assets and software licenses, monitor software-usage statistics, manage USB device usage, take control of remote desktops, and more.\n\nOn the mobile side, users can deploy profiles and policies; configure devices for Wi-Fi, VPNs, email accounts and so on; apply restrictions on application installs, camera usage and the browser; and manage security with passcodes and remote lock/wipe functionality.\n\nAs such, the platform offers far-reaching access into the guts of an organization\u2019s IT footprint, making for an information-disclosure nightmare in the case of an exploit, potentially. As well, the [ability to install a .ZIP file](<https://www.manageengine.com/products/desktop-central/software-installation-supported-executables-how-to.html>) paves the way for the installation of malware on all of the endpoints managed by the Desktop Central instance.\n\nIn the case of the MSP version \u2013 which, as its name suggests, allows managed service providers (MSPs) to offer endpoint management to their own customers \u2013 the bug could be used in a [supply-chain attack](<https://threatpost.com/kaseya-attack-fallout/167541/>). Cybercriminals can simply compromise one MSP\u2019s Desktop Central MSP edition and potentially gain access to the customers whose footprints are being managed using it, depending on security measures the provider has put in place.\n\nZoho ManageEngine [released a Knowledge Base entry detailing patches](<https://www.manageengine.com/products/desktop-central/cve-2021-44757.html>) on Monday, and users are encouraged to update to the latest build in order to protect themselves. The firm also offered tips for general hardening of Desktop Central environments in the KB article.\n\n## **Zoho ManageEngine: Popular for Zero-Day Attacks**\n\nThe company didn\u2019t say whether the bug has been under attack as a zero-day vulnerability, but it\u2019s a good bet that cyberattackers will start targeting it for exploit if they haven\u2019t already. The ManageEngine platform is a popular one for attackers, given its all-seeing nature.\n\nThis played out in September, for instance, when a critical security vulnerability (CVE-2021-40539) in the Zoho ManageEngine ADSelfService Plus platform was patched; it could allow remote attackers to bypass authentication and have free rein across users\u2019 Active Directory (AD) and cloud accounts. But it was [under active attack](<https://threatpost.com/zoho-password-manager-zero-day-attack/169303/>) even before it was fixed, according to the Cybersecurity and Infrastructure Security Agency (CISA).\n\nIn December, the FBI even went so far as to issue [an official alert](<https://threatpost.com/zoho-zero-day-manageengine-active-attack/177178/>) after a Zoho ManageEngine zero-day vulnerability was found to be under active attack from an advanced persistent threat (APT) group. That bug (CVE-2021-44515) could allow remote attackers to override legitimate functions of servers running ManageEngine Desktop Central and to elevate privileges \u2013 with an ultimate goal of dropping malware onto organizations\u2019 networks.\n\n**_Password_**_ _**_Reset: _****_[On-Demand Event](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>):_**_ Fortify 2022 with a password-security strategy built for today\u2019s threats. This [Threatpost Security Roundtable](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>), built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. _**_[Register & stream this FREE session today](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>)_**_ \u2013 sponsored by Specops Software._\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-01-18T15:44:21", "type": "threatpost", "title": "Critical ManageEngine Desktop Server Bug Opens Orgs to Malware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539", "CVE-2021-44515", "CVE-2021-44757"], "modified": "2022-01-18T15:44:21", "id": "THREATPOST:98AF08B524D08ABCEB115FECEE99B70F", "href": "https://threatpost.com/critical-manageengine-desktop-server-bug-malware/177705/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-21T14:43:15", "description": "Another Zoho ManageEngine zero-day vulnerability is under active attack from an APT group, this time looking to override legitimate functions of servers running ManageEngine Desktop Central and elevate privileges \u2014 with an ultimate goal of dropping malware onto organizations\u2019 networks, the FBI has warned.\n\nAPT actors have been exploiting the bug, tracked as [CVE-2021-44515](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44515>), since at least late October, the feds revealed in an [FBI Flash alert](<https://www.ic3.gov/Media/News/2021/211220.pdf>) released last week. There is also evidence to support that it\u2019s being used in an attack chain with two other Zoho bugs that researchers have observed under attack since September, according to the alert.\n\nThe latest vulnerability is an authentication-bypass vulnerability in ManageEngine Desktop Central that can allow an attacker to execute arbitrary code in the Desktop Central server, according to a Zoho [advisory](<https://www.manageengine.com/products/desktop-central/cve-2021-44515-authentication-bypass-filter-configuration.html>) that addressed the issue, published earlier this month.\n\nIndeed, the feds said they observed APT actors doing exactly that. More specifically, researchers observed attackers \u201ccompromising Desktop Central servers, dropping a webshell that overrides a legitimate function of Desktop Central, downloading post-exploitation tools, enumerating domain users and groups, conducting network reconnaissance, attempting lateral movement and dumping credentials,\u201d according to the Flash Alert.\n\nZoho has addressed the vulnerability and is urging organizations to update to the appropriate latest builds of ManageEngine Desktop Central due to \u201cindications of exploitation,\u201d the company said in its advisory.\n\nSpecifically, the company is advising enterprise customers who have builds10.1.2127.17 and below deployed to upgrade to build [10.1.2127.18](<https://downloads.zohocorp.com/dnd/Desktop_Central/vSfr4V3f7NXjEJK/ManageEngine_Desktop_Central_10_1_0_SP-2127_18.ppm>); and those using builds 10.1.2128.0 to 10.1.2137.2 to upgrade to build [10.1.2137.3](<https://downloads.zohocorp.com/dnd/Desktop_Central/5fbkfifZFuh9mVx/ManageEngine_Desktop_Central_10_1_0_SP-2137_3.ppm>).\n\n## **Zoho Under Fire**\n\nThe bug is the third zero-day under active attack that researchers have discovered in the cloud platform company\u2019s ManageEngine suite since September, spurring dire warnings from the FBI and researchers alike.\n\nThough no one has yet conclusively identified the APT responsible, it\u2019s likely the attacks are linked and those responsible are from China, previous evidence has shown.\n\nEarlier this month, researchers at Palo Alto Networks Unit 42 [revealed](<https://threatpost.com/threat-group-takes-aim-again-at-cloud-platform-provider-zoho/176732/>) that state-backed adversaries were using vulnerable versions of ManageEngine ServiceDesk Plus to target a number of U.S. organizations between late October and November.\n\nThe attacks were related to a bug revealed in a Nov. 22 [security advisory](<https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-servicedesk-plus-versions-up-to-11305-22-11-2021>) by Zoho alerting customers of active exploitation against newly registered [CVE-2021-44077](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44077>) found in Manage Engine ServiceDesk Plus. The vulnerability, which allows for unauthenticated remote code execution, impacts ServiceDesk Plus versions 11305 and below.\n\nThat news came on the heels of [warnings](<https://threatpost.com/cisa-fbi-state-backed-apts-exploit-critical-zoho-bug/174768/>) in September by the FBI, CISA and the U.S. Coast Guard Cyber Command (CGCYBER) that an unspecified APT was exploiting a then-zero-day vulnerability in Zoho ManageEngine\u2019s password management solution called ADSelfService Plus.\n\nZoho issued [a fix](<https://threatpost.com/zoho-password-manager-zero-day-attack/169303/>) for the vulnerability, tracked as [CVE-2021-40539](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40539>), soon after; still, researchers observed attackers [exploiting it](<https://threatpost.com/zoho-password-manager-flaw-godzilla-webshell/176063/>) later in November in their continued assault on defense, energy and healthcare organizations.\n\nUnit 42 researchers combined the two previously known active attack fronts against Zoho\u2019s ManageEngine as the [\u201cTitledTemple\u201d](<https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/>) campaign, and said earlier this month that there is evidence to link the APT responsible to China, although it is not conclusive.\n\nThe latest Flash Alert released by the FBI also shows a correlation between earlier APT attacks on ManageEngine and AdSelfService Plus, with malicious samples of code observed in the latest exploitation \u201cdownloaded from likely compromised ManageEngine \nADSelfService Plus servers,\u201d according to the alert.\n\n## **Inside the Exploitation **\n\nThose samples show initial exploitation of a Desktop Central API URL that allowed for an unauthenticated file upload of two different variants of webshells; the first variant was delivered using either the file name \u201cemsaler.zip\u201d or \u201ceco-inflect.jar\u201d in late October and mid-November, respectively; and a second variant using the file name \u201caaa.zip\u201d in late November.\n\nThe webshell overrides the legitimate Desktop Central API servlet endpoint, \u201c/fos/statuscheck,\u201d and either filters inbound GET in the case of the second variant, or POST requests in the case of the first variant, to that URL path, according to the FBI. It then allows attackers to execute commands as the SYSTEM user with elevated privileges if the inbound requests pass the filter check.\n\nThe webshell allows attackers to conduct initial reconnaissance and domain enumeration, after which the actors use BITSAdmin to download a likely ShadowPad variant dropper with filename mscoree.dll, and a legitimate Microsoft AppLaunch binary, iop.exe, according to the FBI. Attackers then sideload the dropper through AppLaunch execution, creating a persistent service to execute the AppLaunch binary moving forward.\n\n\u201cUpon execution, the dropper creates an instance of svchost and injects code with RAT-like functionality that initiates a connection to a command and control server,\u201d according to the FBI.\n\nThreat actors conduct follow-on intrusion activity through the RAT, including attempted lateral movement to domain controllers and credential dumping techniques using Mimikatz, comsvcs.dll LSASS process memory dumping, and a WDigest downgrade attack with subsequent LSASS dumping through pwdump, researchers observed.\n\nThe FBI Flash Alert includes a detailed list of indicators of compromise so organizations using Zoho\u2019s ManageEngine Desktop Central can check to see if they are at risk or have been a victim of attack.\n\n**_Check out our free _**[**_upcoming live and on-demand online town halls_**](<https://threatpost.com/category/webinars/>) **_\u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-12-21T14:42:02", "type": "threatpost", "title": "FBI: Another Zoho ManageEngine Zero-Day Under Active Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539", "CVE-2021-44077", "CVE-2021-44515"], "modified": "2021-12-21T14:42:02", "id": "THREATPOST:927CAECDA58E6BC3266D14FE340589BB", "href": "https://threatpost.com/zoho-zero-day-manageengine-active-attack/177178/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:37:51", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEjHMcXDV_clY9qcSsKkb2OAnYKFj0UHRQhJw2hVPqXcoFYUHdOV9I1c1_n8Cts-WBNsCC5QeLRhSXMP8AXBcSxfSv7-X1u92p_NKlGh0e1T367go5qLlZP_JyRzjUIMcONyTPXffBuAVxGFdEi87vmow8jsvdsVu1kywwfDfJESNMvFBaxHuAlYmc0Q>)\n\nEnterprise software provider Zoho on Friday warned that a newly patched critical flaw in its Desktop Central and Desktop Central MSP is being actively exploited by malicious actors, marking the third security vulnerability in its products to be abused in the wild in a span of four months.\n\nThe issue, assigned the identifier [CVE-2021-44515](<https://nvd.nist.gov/vuln/detail/CVE-2021-44515>), is an authentication bypass vulnerability that could permit an adversary to circumvent authentication protections and execute arbitrary code in the Desktop Central MSP server.\n\n\"If exploited, the attackers can gain unauthorized access to the product by sending a specially crafted request leading to remote code execution,\" Zoho [cautioned](<https://pitstop.manageengine.com/portal/en/community/topic/an-authentication-bypass-vulnerability-identified-and-fixed-in-desktop-central-and-desktop-central-msp>) in an [advisory](<https://www.manageengine.com/desktop-management-msp/cve-2021-44515-security-advisory.html>). \"As we are noticing indications of exploitation of this vulnerability, we strongly advise customers to update their installations to the latest build as soon as possible.\"\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEj1xx5yUi1N8hhGwCsKIe41nVNxRANWaKDVgeuBCUxVqEN45mzkSaOzVblxzHvLtCK-S72xInMv4NWD4QK3W_SCbiMYIvb1aWhb4RUPVekHI3U6EYX9pyFk2YzPaff25pZUh78cc-rh7QoowlHfpWg_XvNGJTVk5a-4xiCyFSQB1ERi9_IrQwoKwI9U>)\n\nThe company has also made available an [Exploit Detection Tool](<https://downloads.zohocorp.com/dnd/Desktop_Central/XTsIm8tSrnzjXhW/detector.zip>) that will help customers identify signs of compromise in their installations.\n\nWith this development, CVE-2021-44515 joins two other vulnerabilities [CVE-2021-44077](<https://nvd.nist.gov/vuln/detail/CVE-2021-44077>) and [CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539>) that have been [weaponized](<https://thehackernews.com/2021/11/experts-detail-malicious-code-dropped.html>) to compromise the networks of critical infrastructure organizations across the world.\n\nThe disclosure also comes a day after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) [warned](<https://thehackernews.com/2021/12/cisa-warns-of-actively-exploited.html>) that CVE-2021-44077 \u2014 an unauthenticated, remote code execution vulnerability affecting ServiceDesk Plus \u2014 is being exploited to drop web shells and carry out an array of post-exploitation activities as part of a campaign dubbed \"TiltedTemple.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-04T05:07:00", "type": "thn", "title": "Warning: Yet Another Zoho ManageEngine Product Found Under Active Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539", "CVE-2021-44077", "CVE-2021-44515"], "modified": "2021-12-04T05:09:04", "id": "THN:DB8E18C57AFB9EEEFDABD840FBF5D938", "href": "https://thehackernews.com/2021/12/warning-yet-another-zoho-manageengine.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:42", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEi_JzJRZbhmwlI8nV6xvkiS-sqhx4pz9DQL18ARUkEMQ_wOFlAYdEOdD4hlQoSB4-kzuDeFRvQMomyrIIJrBdy18WyEjmjhgJP6BXAkfU9f0Rq6tEf8fPpFqfB2ECAX-eKxA8bnmcz82Btn6m88Da1ZmVoPX2PGZ-VwDYc04o6OHV0-wKonRvpMc6UK>)\n\nEnterprise software maker Zoho on Monday issued patches for a critical security vulnerability in Desktop Central and Desktop Central MSP that a remote adversary could exploit to perform unauthorized actions in affected servers.\n\nTracked as [CVE-2021-44757](<https://nvd.nist.gov/vuln/detail/CVE-2021-44757>), the shortcoming concerns an instance of authentication bypass that \"may allow an attacker to read unauthorized data or write an arbitrary zip file on the server,\" the company [noted](<https://pitstop.manageengine.com/portal/en/community/topic/a-critical-security-patch-released-in-desktop-central-and-desktop-central-msp-for-cve-2021-44757-17-1-2022>) in an advisory.\n\nOsword from SGLAB of Legendsec at Qi'anxin Group has been credited with discovering and reporting the vulnerability. The Indian firm said it remediated the issue in build version 10.1.2137.9.\n\nWith the latest fix, Zoho has addressed a total of four vulnerabilities over the past five months \u2014\n\n * [CVE-2021-40539](<https://thehackernews.com/2021/09/cisa-warns-of-actively-exploited-zoho.html>) (CVSS score: 9.8) \u2013 Authentication bypass vulnerability affecting Zoho ManageEngine ADSelfService Plus\n * [CVE-2021-44077](<https://thehackernews.com/2021/12/cisa-warns-of-actively-exploited.html>) (CVSS score: 9.8) \u2013 Unauthenticated remote code execution vulnerability affecting Zoho ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP, and SupportCenter Plus, and\n * [CVE-2021-44515](<https://thehackernews.com/2021/12/warning-yet-another-zoho-manageengine.html>) (CVSS score: 9.8) \u2013 Authentication bypass vulnerability affecting Zoho ManageEngine Desktop Central\n\nIn light of the fact that all the three aforementioned flaws have been exploited by malicious actors, it's recommended that users apply the updates as soon as possible to mitigate any potential threats.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-18T05:13:00", "type": "thn", "title": "Zoho Releases Patch for Critical Flaw Affecting ManageEngine Desktop Central", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539", "CVE-2021-44077", "CVE-2021-44515", "CVE-2021-44757"], "modified": "2022-01-18T10:03:19", "id": "THN:A29E47C7A7467A109B420FF0819814EE", "href": "https://thehackernews.com/2022/01/zoho-releases-patch-for-critical-flaw.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "hivepro": [{"lastseen": "2021-12-17T07:20:56", "description": "#### THREAT LEVEL: Red.\n\nFor a detailed advisory, [download the pdf file here.](<https://www.hivepro.com/wp-content/uploads/2021/11/Several-Zoho-ManageEngine-products-have-been-exploited_TA202154.pdf>)[](<https://docs.google.com/viewer?url=https%3A%2F%2Fwww.hivepro.com%2Fwp-content%2Fuploads%2F2021%2F11%2FSeveral-Zoho-ManageEngine-products-have-been-exploited_TA202154.pdf&embedded=true&chrome=false&dov=1> \"View this pdf file\" ) \n\n\nMultiple vulnerabilities have been discovered in Zoho ManageEngine products. The affected products include Zoho ManageEngine ServiceDesk Plus, Zoho ManageEngine SupportCenter Plus, Zoho ManageEngine Desktop Central, Zoho ManageEngine AssetExplorer. \nCVE 2021 44077 is a vulnerability that could allow an attacker to run arbitrary code. It was discovered on November 20, 2021. This vulnerability, however, may be easily fixed by updating to Zoho version 11306, which was released in September. Attackers are focusing on the healthcare, financial services, electronics, and IT consulting businesses by exploiting this vulnerability. \nCVE 2021 44515 & CVE 2021 44526 are authentication bypass vulnerabilities. CVE 2021 44515 only affects Zoho ManageEngine ServiceDesk and Zoho ManageEngine AssetExplorer who uses Desktop Central Agent for asset discovery and CVE 2021 44526 affects all vulnerable versions of Zoho ManageEngine ServiceDesk and Zoho ManageEngine AssetExplorer. \nTwo of these vulnerabilities (CVE 2021 44077 and CVE 2021 44515) have been exploited in the wild so organizations should upgrade their Zoho ManageEngine products to their latest versions to eliminate these vulnerabilities. \nThe Techniques used by an unknown actor to exploit CVE 2021 44077 includes: \nT1190 - Exploit Public Facing Application \nT1505.003 - Server Software Component: Web Shell \nT1027 - Obfuscated Files or Information \nT1140 - Deobfuscate/Decode Files or Information \nT1003 - OS Credential Dumping \nT1218 - Signed Binary Proxy Execution \nT1136 - Create Account \nT1003.003 - OS Credential Dumping: NTDS \nT1047 - Windows Management Instrumentation \nT1070.004 - Indicator Removal on Host: File Deletion \nT1087.002 - Account Discovery: Domain Account \nT1560.001 - Archive Collected Data: Archive via Utility \nT1573.001 - Encrypted Channel: Symmetric Cryptography[](<https://docs.google.com/viewer?url=https%3A%2F%2Fwww.hivepro.com%2Fwp-content%2Fuploads%2F2021%2F12%2FMicrosoft-could-not-patch-this-vulnerability-yet-again_TA202153.pdf&embedded=true&chrome=false&dov=1> \"View this pdf file\" )\n\n#### Vulnerability Details\n\n\n\n#### Indicators of Compromise(IoCs) *\n\n\n\n#### Patch Link\n\n<https://www.manageengine.com/desktop-management-msp/cve-2021-44515-security-advisory.html>\n\n<https://www.manageengine.com/products/service-desk/security-response-plan.html>\n\n<https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44526-and-cve-2021-44515-authentication-bypass-vulnerabilities-in-servicedesk-plus-and-desktop-central>\n\n<https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44526-and-cve-2021-44515-authentication-bypass-vulnerabilities-in-assetexplorer-and-desktop-central>\n\n#### References\n\n<https://us-cert.cisa.gov/ncas/alerts/aa21-336a>\n\n<https://www.bleepingcomputer.com/news/security/zoho-patch-new-manageengine-bug-exploited-in-attacks-asap/>\n\n<https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/>\n\n \n\n \n\n* Indicates parameters that apply to CVE-2021-44077", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-12-05T12:31:49", "type": "hivepro", "title": "Several Zoho ManageEngine products have been exploited", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44077", "CVE-2021-44515", "CVE-2021-44526"], "modified": "2021-12-05T12:31:49", "id": "HIVEPRO:C7C4C4FD6D71992EA2AF88F0ECFBD280", "href": "https://www.hivepro.com/several-zoho-manageengine-products-have-been-exploited/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2022-02-18T15:27:57", "description": "\n\nGreetings, fellow security professionals. As we enter into the new year, we wanted to provide a recap of product releases and features on the vulnerability management (VM) front for Q4 2021.\n\nLet's start by talking about the elephant in the room. The end of last year was dominated by [Log4Shell](<https://www.rapid7.com/blog/post/2021/12/10/widespread-exploitation-of-critical-remote-code-execution-in-apache-log4j/>), the once-in-a-generation security vulnerability that impacted nearly every corner of the security industry and completely ruined every holiday party we were invited to. But as you will see below, in addition to providing you with strong Log4Shell coverage, our VM team has been hard at work on multitudes of other features and capabilities as well.\n\nChief among these are improvements to credential management aspects of scanning, in the form of Scan Assistant, and better Credential Status Reporting. Container scanning is also seeing improved integration of results, as well as enhanced checks leveraging Snyk. Last but not least, email distribution of reports will allow you to better communicate findings across the organization. In other words, Q4 was more than Log4Shell over here, and we're excited to tell you about it.\n\n(Note: Starting this edition, you will see up front a label of [InsightVM] vs [InsightVM & Nexpose] to clarify which product a new feature or capability pertains to)\n\n## [InsightVM & Nexpose] Log4j security content\n\nWhen Log4j hit in early December, our VM teams went into high gear offering solutions and boosting ways InsightVM can identify vulnerable software. Here's a recap of our current [coverage](<https://docs.rapid7.com/insightvm/apache-log4j>):\n\n * Authenticated, generic JAR-based coverage for Windows, macOS, and Unix-like operating systems\n * [Mitigation checks](<https://www.rapid7.com/db/vulnerabilities/apache-log4j-core-jndilookup-mitigated/>) for macOS and Unix-like operating systems\n * Remote check for vulnerable HTTP(S) applications\n * Package-based checks for supported Linux distributions\n * [Coverage](<https://www.rapid7.com/db/vulnerabilities/vcenter-log4j-CVE-2021-44228/>) and [mitigation](<https://www.rapid7.com/db/vulnerabilities/vcenter-log4j-core-vmsa-2021-0028-9-mitigated/>) checks for CVE-2021-44228 and CVE-2021-45046 affecting VMware vCenter Appliances\n * We also added IVM checks to assess CVE-2021-45046 on [VMware Horizon Connection Server](<https://www.rapid7.com/db/vulnerabilities/vmware-horizon-connection-server-cve-2021-45046/>) and [Horizon Agent](<https://www.rapid7.com/db/vulnerabilities/vmware-horizon-agent-cve-2021-45046/>)\n * Authenticated JAR-based checks for follow-on CVEs (CVE-2021-45046, CVE-2021-45105, CVE-2021-44832)\n\n## [InsightVM] Log4j dashboard and Query Builder\n\nWe added a log4j Query Builder query to the Helpful Queries section of Query Builder and a new dashboard template (the Specific Vulnerability Dashboard) designed to allow customers to visualize the impact of a specific vulnerability or vulnerabilities to their environment.\n\n\n\nWe have a TON of additional Log4j resources here for you to check out:\n\n * A [blog ](<https://www.rapid7.com/blog/post/2021/12/14/using-insightvm-to-find-apache-log4j-cve-2021-44228/>)from our product manager Greg Wiseman that gives some great context on using InsightVM to detect Log4j\n * A [customer resource hub](<https://www.rapid7.com/log4j-cve-2021-44228-customer-resources/>) on how various Rapid7 products help you defend against Log4j\n * A [general public resource hub](<https://www.rapid7.com/log4j-cve-2021-44228-resources/>) on background info about this extraordinary new vulnerability\n\n## [InsightVM & Nexpose] Additional vulnerability checks and content (non-Log4Shell)\n\nBelieve it or not, the world has seen other vulns beyond Log4j. As a team, we added nearly 4,000 vulnerability checks to InsightVM and Nexpose in Q4 and more than a few that warrant mentioning here.\n\n * Zoho's ManageEngine portfolio was affected by critical unauthenticated remote code execution vulnerabilities in [ServiceDesk Plus](<https://www.rapid7.com/db/vulnerabilities/zoho-manageengine-servicedesk-plus-cve-2021-44077/>) and [Desktop Central](<https://www.rapid7.com/db/vulnerabilities/http-manageengine-dc-cve-2021-44515/>)\n * We also saw [opportunistic exploitation](<https://www.rapid7.com/blog/post/2021/11/09/opportunistic-exploitation-of-zoho-manageengine-and-sitecore-cves/>) of [CVE-2021-42237](<https://www.rapid7.com/db/vulnerabilities/sitecore-experience-platform-cve-2021-42237/>), an insecure deserialization vulnerability in the SiteCore Experience Platform\n * The open-source CI/CD solution GoCD was hit by [CVE-2021-43287](<https://www.rapid7.com/db/vulnerabilities/http-gocd-cve-2021-43287/>), allowing unauthenticated attackers to leak configuration information, including build secrets and encryption keys, with a single HTTP request\n\nIf you want to learn more about these and many other threats that materialized during Q4, check out our [Emergent Threat Response](<https://www.rapid7.com/blog/tag/emergent-threat-response/>) blogs (you should check those out regularly, because we are constantly and consistently writing about new threats in near real-time).\n\n## [InsightVM & Nexpose] Introducing Scan Assistant\n\nCredential management for Scan Engine can be a huge burden on vulnerability management teams, especially when you are managing tens of thousands of devices. That's why we created Scan Assistant to help ease that burden.\n\nScan Assistant is a lightweight service that can be installed on each targeted scan. It allows you to scan targets without the need for credentials. When the Scan Engine scans a target with the Scan Assistant attached, it will automatically collect the information it needs to access the target without the need for additional scan credentials. In addition to enhanced security, Scan Assistant improves scan performance for vulnerability and policy scans, has a fully on-premise footprint, works with both InsightVM and Nexpose, and is completely idle until engaged by a scan. Scan Assistant has now GA'ed for Windows environment. We'll have coverage for other OSes to follow in the future.\n\nAnd, as usual, you can learn so much more [here](<https://www.rapid7.com/blog/post/2021/10/18/passwordless-network-scanning-same-insights-less-risk/>).\n\n\n\n## [InsightVM & Nexpose] NEW - Scan diagnostic checks for Credential Status Reporting\n\nWhile we're on the subject of credentials during scans, every so often the scan engine can return a partial or total credential failure that might leave you scratching your head. With this new feature, InsightVM and Nexpose offer scan diagnostic checks that allow you to have more granular visibility into credential success (or lack thereof). This will allow you to better troubleshoot authenticated scans that return results you did not expect.\n\nResults are written as vulnerability checks, giving you the ability to use aspects of the platform's functionality that you are already familiar with to assess where things went wrong.\n\n\n\n## [InsightVM] Container Image Scanner integration, additional container software library package checks, improved container scan results integration, and emailed reports\n\nWe are always looking for ways to make your life easier, and these three new improvements to the InsightVM platform are designed to do just that. First, we enhanced the Container Image Scanner to record and post results to InsightVM rather than just to the developer's local machine where the container lives. This allows the organization to better monitor the security of containers under development. Take a look for yourself \u2014 it's in the Builds tab of the Contain Security Section.\n\nWe've also launched a fingerprinter for .Net NuGet and Ruby Gem Packages. This allows us to check for vulnerabilities in these software packages leveraging the Snyk integration. This brings our support for Snyk security content to include Java Maven, Node NPM (Javascript), Python PIP, and now .Net NuGet Ruby Gem packages.\n\n\n\nFinally, we're making it easier to share findings across your organization by allowing reports to be sent via email. The entire message includes a password-protected and encrypted pdf and recipients receive a password in a separate email to ensure the info remains secure.\n\n\n\nQ4 was a trying time for everyone in the security sphere, and we know that our work on that front is far from done. We hope that some or all of these new InsightVM and Nexpose features make Q1 2022 and beyond a little easier, less stressful, and ultimately more secure. Stay strong!\n\n_**Additional reading:**_\n\n * _[Log4Shell 2 Months Later: Security Strategies for the Internet's New Normal](<https://www.rapid7.com/blog/post/2022/02/17/log4shell-2-months-later-security-strategies-for-the-internets-new-normal/>)_\n * _[Log4Shell Strategic Response: 5 Practices for Vulnerability Management at Scale](<https://www.rapid7.com/blog/post/2022/01/07/log4shell-strategic-response-5-practices-for-vulnerability-management-at-scale/>)_\n * _[Distribute Reports to Email Addresses in InsightVM](<https://www.rapid7.com/blog/post/2021/11/17/distribute-reports-to-email-addresses-in-insightvm/>)_\n * _[InsightVM Scan Diagnostics: Troubleshooting Credential Issues for Authenticated Scanning](<https://www.rapid7.com/blog/post/2021/11/03/insightvm-scan-diagnostics-troubleshooting-credential-issues-for-authenticated-scanning/>)_\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-18T14:20:00", "type": "rapid7blog", "title": "What's New in InsightVM and Nexpose: Q4 2021 in Review", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42237", "CVE-2021-43287", "CVE-2021-44077", "CVE-2021-44228", "CVE-2021-44515", "CVE-2021-44832", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-02-18T14:20:00", "id": "RAPID7BLOG:AB5C0BC130F45073226CC41D25680EA0", "href": "https://blog.rapid7.com/2022/02/18/whats-new-in-insightvm-and-nexpose-q4-2021-in-review/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2022-02-25T19:27:09", "description": "_CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively._\n\n### Situation\n\nLast November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>) called \u201cReducing the Significant Risk of Known Exploited Vulnerabilities.\u201d [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of Known Exploited Vulnerabilities that carry significant risk to the federal government and sets requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires federal agencies to review and update internal vulnerability management procedures to remediate each vulnerability according to the timelines outlined in CISA\u2019s vulnerability catalog.\n\n### Directive Scope\n\nThis CISA directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency\u2019s behalf.\n\nHowever, CISA strongly recommends that public and private businesses as well as state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA\u2019s public catalog. This is truly vulnerability management guidance for all organizations to heed.\n\n### CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [379 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. CISA\u2019s most recent update was issued on February 22, 2022.\n\nThe Qualys Research team is continuously updating CVEs to available QIDs (Qualys vulnerability identifiers) in the Qualys Knowledgebase, with the RTI field \u201cCISA Exploited\u201d and this is going to be a continuous approach, as CISA frequently amends with the latest CVE as part of their regular feeds.\n\nOut of these vulnerabilities, Directive 22-01 urges all organizations to reduce their exposure to cyberattacks by effectively prioritizing the remediation of the identified Vulnerabilities.\n\nCISA has ordered U.S. federal agencies to apply patches as soon as possible. The remediation guidance is grouped into multiple categories by CISA based on attack surface severity and time-to-remediate. The timelines are available in the [Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) for each of the CVEs.\n\n### Detect CISA Vulnerabilities Using Qualys VMDR\n\nQualys helps customers to identify and assess the risk to their organizations\u2019 digital infrastructure, and then to automate remediation. Qualys\u2019 guidance for rapid response to Directive 22-01 follows.\n\nThe Qualys Research team has released multiple remote and authenticated detections (QIDs) for these vulnerabilities. Since the directive includes 379 CVEs (as of February 22, 2022) we recommend executing your search based on QQL (Qualys Query Language), as shown here for released QIDs by Qualys **_vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns:"true"_**\n\n\n\n### CISA Exploited RTI\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using VMDR Prioritization. Qualys has introduced an **RTI Category, CISA Exploited**.\n\nThis RTI indicates that the vulnerabilities are associated with the CISA catalog.\n\n\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n\n\nWith Qualys Unified Dashboard, you can track your exposure to CISA Known Exploited Vulnerabilities and track your status and overall management in real-time. With dashboard widgets, you can keep track of the status of vulnerabilities in your environment using the [\u201cCISA 2010-21| KNOWN EXPLOITED VULNERABILITIES\u201d](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard\n\n\n\n### Remediation\n\nTo comply with this directive, federal agencies need to remediate all vulnerabilities as per the remediation timelines suggested in [CISA Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)**.**\n\nQualys patch content covers many Microsoft, Linux, and third-party applications. However, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch all the remaining CVEs in their list.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive\u2019s aggressive remediation timelines set by CISA. Running this query for specific CVEs will find required patches and allow quick and efficient deployment of those missing patches to all assets directly from within Qualys Cloud Platform.\n \n \n cve:[`CVE-2010-5326`,`CVE-2012-0158`,`CVE-2012-0391`,`CVE-2012-3152`,`CVE-2013-3900`,`CVE-2013-3906`,`CVE-2014-1761`,`CVE-2014-1776`,`CVE-2014-1812`,`CVE-2015-1635`,`CVE-2015-1641`,`CVE-2015-4852`,`CVE-2016-0167`,`CVE-2016-0185`,`CVE-2016-3088`,`CVE-2016-3235`,`CVE-2016-3643`,`CVE-2016-3976`,`CVE-2016-7255`,`CVE-2016-9563`,`CVE-2017-0143`,`CVE-2017-0144`,`CVE-2017-0145`,`CVE-2017-0199`,`CVE-2017-0262`,`CVE-2017-0263`,`CVE-2017-10271`,`CVE-2017-11774`,`CVE-2017-11882`,`CVE-2017-5638`,`CVE-2017-5689`,`CVE-2017-6327`,`CVE-2017-7269`,`CVE-2017-8464`,`CVE-2017-8759`,`CVE-2017-9791`,`CVE-2017-9805`,`CVE-2017-9841`,`CVE-2018-0798`,`CVE-2018-0802`,`CVE-2018-1000861`,`CVE-2018-11776`,`CVE-2018-15961`,`CVE-2018-15982`,`CVE-2018-2380`,`CVE-2018-4878`,`CVE-2018-4939`,`CVE-2018-6789`,`CVE-2018-7600`,`CVE-2018-8174`,`CVE-2018-8453`,`CVE-2018-8653`,`CVE-2019-0193`,`CVE-2019-0211`,`CVE-2019-0541`,`CVE-2019-0604`,`CVE-2019-0708`,`CVE-2019-0752`,`CVE-2019-0797`,`CVE-2019-0803`,`CVE-2019-0808`,`CVE-2019-0859`,`CVE-2019-0863`,`CVE-2019-10149`,`CVE-2019-10758`,`CVE-2019-11510`,`CVE-2019-11539`,`CVE-2019-1214`,`CVE-2019-1215`,`CVE-2019-1367`,`CVE-2019-1429`,`CVE-2019-1458`,`CVE-2019-16759`,`CVE-2019-17026`,`CVE-2019-17558`,`CVE-2019-18187`,`CVE-2019-18988`,`CVE-2019-2725`,`CVE-2019-8394`,`CVE-2019-9978`,`CVE-2020-0601`,`CVE-2020-0646`,`CVE-2020-0674`,`CVE-2020-0683`,`CVE-2020-0688`,`CVE-2020-0787`,`CVE-2020-0796`,`CVE-2020-0878`,`CVE-2020-0938`,`CVE-2020-0968`,`CVE-2020-0986`,`CVE-2020-10148`,`CVE-2020-10189`,`CVE-2020-1020`,`CVE-2020-1040`,`CVE-2020-1054`,`CVE-2020-1147`,`CVE-2020-11738`,`CVE-2020-11978`,`CVE-2020-1350`,`CVE-2020-13671`,`CVE-2020-1380`,`CVE-2020-13927`,`CVE-2020-1464`,`CVE-2020-1472`,`CVE-2020-14750`,`CVE-2020-14871`,`CVE-2020-14882`,`CVE-2020-14883`,`CVE-2020-15505`,`CVE-2020-15999`,`CVE-2020-16009`,`CVE-2020-16010`,`CVE-2020-16013`,`CVE-2020-16017`,`CVE-2020-17087`,`CVE-2020-17144`,`CVE-2020-17496`,`CVE-2020-17530`,`CVE-2020-24557`,`CVE-2020-25213`,`CVE-2020-2555`,`CVE-2020-6207`,`CVE-2020-6287`,`CVE-2020-6418`,`CVE-2020-6572`,`CVE-2020-6819`,`CVE-2020-6820`,`CVE-2020-8243`,`CVE-2020-8260`,`CVE-2020-8467`,`CVE-2020-8468`,`CVE-2020-8599`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-22204`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33766`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-35247`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36934`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37415`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40438`,`CVE-2021-40444`,`CVE-2021-40449`,`CVE-2021-40539`,`CVE-2021-4102`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42292`,`CVE-2021-42321`,`CVE-2021-43890`,`CVE-2021-44077`,`CVE-2021-44228`,`CVE-2021-44515`,`CVE-2022-0609`,`CVE-2022-21882`,`CVE-2022-24086`,`CVE-2010-1871`,`CVE-2017-12149`,`CVE-2019-13272` ]\n\n\n\nVulnerabilities can be validated through VMDR and a Patch Job can be configured for vulnerable assets.\n\n\n\n### Federal Enterprises and Agencies Can Act Now\n\nFor federal agencies and enterprises, it\u2019s a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help your organization to achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>) to our credit.\n\nHere are a few steps Federal entities can take immediately:\n\n * Run vulnerability assessments against all of your assets by leveraging our various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Qualys Patch Management to apply patches and other configuration changes\n * Track remediation progress through our Unified Dashboards\n\n### Summary\n\nUnderstanding just which vulnerabilities exist in your environment is a critical but small part of threat mitigation. Qualys VMDR helps customers discover their exposure, assess threats, assign risk, and remediate threats \u2013 all in a single unified solution. Qualys customers rely on the accuracy of Qualys\u2019 threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any size organization efficiently respond to CISA Binding Operational Directive 22-01.\n\n#### Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-02-23T05:39:00", "type": "qualysblog", "title": "Managing CISA Known Exploited Vulnerabilities with Qualys VMDR", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1871", "CVE-2010-5326", "CVE-2012-0158", "CVE-2012-0391", "CVE-2012-3152", "CVE-2013-3900", "CVE-2013-3906", "CVE-2014-1761", "CVE-2014-1776", "CVE-2014-1812", "CVE-2015-1635", "CVE-2015-1641", "CVE-2015-4852", "CVE-2016-0167", "CVE-2016-0185", "CVE-2016-3088", "CVE-2016-3235", "CVE-2016-3643", "CVE-2016-3976", "CVE-2016-7255", "CVE-2016-9563", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0199", "CVE-2017-0262", "CVE-2017-0263", "CVE-2017-10271", "CVE-2017-11774", "CVE-2017-11882", "CVE-2017-12149", "CVE-2017-5638", "CVE-2017-5689", "CVE-2017-6327", "CVE-2017-7269", "CVE-2017-8464", "CVE-2017-8759", "CVE-2017-9791", "CVE-2017-9805", "CVE-2017-9841", "CVE-2018-0798", "CVE-2018-0802", "CVE-2018-1000861", "CVE-2018-11776", "CVE-2018-15961", "CVE-2018-15982", "CVE-2018-2380", "CVE-2018-4878", "CVE-2018-4939", "CVE-2018-6789", "CVE-2018-7600", "CVE-2018-8174", "CVE-2018-8453", "CVE-2018-8653", "CVE-2019-0193", "CVE-2019-0211", "CVE-2019-0541", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-0752", "CVE-2019-0797", "CVE-2019-0803", "CVE-2019-0808", "CVE-2019-0859", "CVE-2019-0863", "CVE-2019-10149", "CVE-2019-10758", "CVE-2019-11510", "CVE-2019-11539", "CVE-2019-1214", "CVE-2019-1215", "CVE-2019-13272", "CVE-2019-1367", "CVE-2019-1429", "CVE-2019-1458", "CVE-2019-16759", "CVE-2019-17026", "CVE-2019-17558", "CVE-2019-18187", "CVE-2019-18988", "CVE-2019-2725", "CVE-2019-8394", "CVE-2019-9978", "CVE-2020-0601", "CVE-2020-0646", "CVE-2020-0674", "CVE-2020-0683", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-0796", "CVE-2020-0878", "CVE-2020-0938", "CVE-2020-0968", "CVE-2020-0986", "CVE-2020-10148", "CVE-2020-10189", "CVE-2020-1020", "CVE-2020-1040", "CVE-2020-1054", "CVE-2020-1147", "CVE-2020-11738", "CVE-2020-11978", "CVE-2020-1350", "CVE-2020-13671", "CVE-2020-1380", "CVE-2020-13927", "CVE-2020-1464", "CVE-2020-1472", "CVE-2020-14750", "CVE-2020-14871", "CVE-2020-14882", "CVE-2020-14883", "CVE-2020-15505", "CVE-2020-15999", "CVE-2020-16009", "CVE-2020-16010", "CVE-2020-16013", "CVE-2020-16017", "CVE-2020-17087", "CVE-2020-17144", "CVE-2020-17496", "CVE-2020-17530", "CVE-2020-24557", "CVE-2020-25213", "CVE-2020-2555", "CVE-2020-6207", "CVE-2020-6287", "CVE-2020-6418", "CVE-2020-6572", "CVE-2020-6819", "CVE-2020-6820", "CVE-2020-8243", "CVE-2020-8260", "CVE-2020-8467", "CVE-2020-8468", "CVE-2020-8599", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-22204", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33766", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-35247", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36934", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37415", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40438", "CVE-2021-40444", "CVE-2021-40449", "CVE-2021-40539", "CVE-2021-4102", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42292", "CVE-2021-42321", "CVE-2021-43890", "CVE-2021-44077", "CVE-2021-44228", "CVE-2021-44515", "CVE-2022-0609", "CVE-2022-21882", "CVE-2022-24086"], "modified": "2022-02-23T05:39:00", "id": "QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "href": "https://blog.qualys.com/category/product-tech", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
CVE-2021-44515
