Oh No, Zoho: Active Exploitation of CVE-2021-44077 Allowing Unauthenticated Remote Code Execution


CVE | Vendor Advisory | AttackerKB | IVM Content | Patching Urgency | Last Update ---|---|---|---|---|--- CVE-2021-44077 | [Zoho's Advisory](<https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-servicedesk-plus-versions-up-to-11305-22-11-2021>) | [AttackerKB](<https://attackerkb.com/topics/qv2aD8YfMN/cve-2021-44077/rapid7-analysis?referrer=blog>) | In Development | Immediately | December 9, 1:30pm ET ## Summary ![Oh No, Zoho: Active Exploitation of CVE-2021-44077 Allowing Unauthenticated Remote Code Execution](https://blog.rapid7.com/content/images/2021/12/zoho-rce.jpg) Zoho customers have had a huge incentive lately to keep their software up to date, as recent Zoho critical vulnerabilities have been weaponized shortly after release by advanced attackers. (Rapid7 blogged as recently as November 9, 2021, about the [Exploitation of Zoho ManageEngine](<https://www.rapid7.com/blog/post/2021/11/09/opportunistic-exploitation-of-zoho-manageengine-and-sitecore-cves/>)). This trend continues with [CVE-2021-44077](<https://nvd.nist.gov/vuln/detail/CVE-2021-44077>), an unauthenticated remote code execution vulnerability affecting several of their products. To assist their customers, Zoho has since set up an online [security response plan](<https://www.manageengine.com/products/service-desk/security-response-plan.html>) that includes an exploit detection tool to see if an organization’s installation is compromised. ## Affected versions: * ManageEngine ServiceDesk Plus, prior to version 11306 * ServiceDesk Plus MSP, prior to version 10530 * SupportCenter Plus, prior to version 11014 ## Details On September 16, 2021, Zoho released a [Security Advisory](<https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-authentication-bypass-vulnerability-in-servicedesk-plus-versions-11138-and-above>) urging customers to upgrade their software in order to resolve an authentication bypass vulnerability. 67 days later, on November 22, 2021, they released an [additional advisory](<https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-servicedesk-plus-versions-up-to-11305-22-11-2021>) for the 44077 CVE indicating that the previously mentioned update also fixed a remote code execution (RCE) vulnerability that is being exploited in the wild. Last week, CISA released an [alert](<https://us-cert.cisa.gov/ncas/alerts/aa21-336a>) detailing attacker tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs). CVE-2021-44077 has also been added to CISA’s [known exploited vulnerabilities catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) with a required remediation date of December 15, 2021, for US federal agencies. ## Guidance Rapid7 advises organizations that utilize any of the impacted versions listed above patch on an emergency basis, utilize Zoho’s exploit detection tool, and review CISA’s documentation of IOCs to determine whether a specific installation has been compromised. Additionally, we recommend that access to these products should exist behind a VPN and organizations immediately stay up to date on software versions. Attackers have had enough critical vulnerabilities of late to build a bit of a skillset in understanding how the Zoho software works, so future vulnerabilities will only be exploited even faster. ## Rapid7 customers **InsightVM and Nexpose customers:** Our researchers are currently evaluating the feasibility of adding a vulnerability check. ## Updates [December 9, 2021] Rapid7 has posted an in-depth technical analysis and PoC of this vulnerability on [AttackerKB](<https://attackerkb.com/topics/qv2aD8YfMN/cve-2021-44077/rapid7-analysis?referrer=blog>). #### NEVER MISS A BLOG Get the latest stories, expertise, and news about security today. Subscribe