CVE-2021-44077

Warning

Exploit

EPSS 94.33%
Published 29.11.2021 04:15:06
Last modified 14.03.2025 16:48:14
Source cve@mitre.org
Teams watchlist Login
Open Login

Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration.

Affected products Warnungen 1 Metrics 4 CWE 1 References 8

Data is provided by the National Vulnerability Database (NVD)

Zohocorp ≫ Manageengine Servicedesk Plus Version11.1 Update11138

Zohocorp ≫ Manageengine Servicedesk Plus Version11.1 Update11139

Zohocorp ≫ Manageengine Servicedesk Plus Version11.1 Update11140

Zohocorp ≫ Manageengine Servicedesk Plus Version11.1 Update11141

Zohocorp ≫ Manageengine Servicedesk Plus Version11.1 Update11142

Zohocorp ≫ Manageengine Servicedesk Plus Version11.1 Update11143

Zohocorp ≫ Manageengine Servicedesk Plus Version11.1 Update11144

Zohocorp ≫ Manageengine Servicedesk Plus Version11.1 Update11145

Zohocorp ≫ Manageengine Servicedesk Plus Version11.2 Update11200

Zohocorp ≫ Manageengine Servicedesk Plus Version11.2 Update11201

Zohocorp ≫ Manageengine Servicedesk Plus Version11.2 Update11202

Zohocorp ≫ Manageengine Servicedesk Plus Version11.2 Update11203

Zohocorp ≫ Manageengine Servicedesk Plus Version11.2 Update11204

Zohocorp ≫ Manageengine Servicedesk Plus Version11.2 Update11205

Zohocorp ≫ Manageengine Servicedesk Plus Version11.2 Update11206

Zohocorp ≫ Manageengine Servicedesk Plus Version11.2 Update11207

Zohocorp ≫ Manageengine Servicedesk Plus Version11.2 Update11208

Zohocorp ≫ Manageengine Servicedesk Plus Version11.2 Update11209

Zohocorp ≫ Manageengine Servicedesk Plus Version11.2 Update11210

Zohocorp ≫ Manageengine Servicedesk Plus Version11.2 Update11211

Zohocorp ≫ Manageengine Servicedesk Plus Version11.3 Update11300

Zohocorp ≫ Manageengine Servicedesk Plus Version11.3 Update11301

Zohocorp ≫ Manageengine Servicedesk Plus Version11.3 Update11302

Zohocorp ≫ Manageengine Servicedesk Plus Version11.3 Update11303

Zohocorp ≫ Manageengine Servicedesk Plus Version11.3 Update11304

Zohocorp ≫ Manageengine Servicedesk Plus Version11.3 Update11305

Zohocorp ≫ Manageengine Servicedesk Plus Msp Version <= 10.5

Zohocorp ≫ Manageengine Servicedesk Plus Msp Version10.5 Update10500

Zohocorp ≫ Manageengine Servicedesk Plus Msp Version10.5 Update10501

Zohocorp ≫ Manageengine Servicedesk Plus Msp Version10.5 Update10502

Zohocorp ≫ Manageengine Servicedesk Plus Msp Version10.5 Update10503

Zohocorp ≫ Manageengine Servicedesk Plus Msp Version10.5 Update10504

Zohocorp ≫ Manageengine Servicedesk Plus Msp Version10.5 Update10505

Zohocorp ≫ Manageengine Servicedesk Plus Msp Version10.5 Update10506

Zohocorp ≫ Manageengine Servicedesk Plus Msp Version10.5 Update10507

Zohocorp ≫ Manageengine Servicedesk Plus Msp Version10.5 Update10508

Zohocorp ≫ Manageengine Servicedesk Plus Msp Version10.5 Update10509

Zohocorp ≫ Manageengine Servicedesk Plus Msp Version10.5 Update10510

Zohocorp ≫ Manageengine Servicedesk Plus Msp Version10.5 Update10511

Zohocorp ≫ Manageengine Servicedesk Plus Msp Version10.5 Update10512

Zohocorp ≫ Manageengine Servicedesk Plus Msp Version10.5 Update10513

Zohocorp ≫ Manageengine Servicedesk Plus Msp Version10.5 Update10514

Zohocorp ≫ Manageengine Servicedesk Plus Msp Version10.5 Update10515

Zohocorp ≫ Manageengine Servicedesk Plus Msp Version10.5 Update10516

Zohocorp ≫ Manageengine Servicedesk Plus Msp Version10.5 Update10517

Zohocorp ≫ Manageengine Servicedesk Plus Msp Version10.5 Update10518

Zohocorp ≫ Manageengine Servicedesk Plus Msp Version10.5 Update10519

Zohocorp ≫ Manageengine Servicedesk Plus Msp Version10.5 Update10520

Zohocorp ≫ Manageengine Servicedesk Plus Msp Version10.5 Update10521

Zohocorp ≫ Manageengine Servicedesk Plus Msp Version10.5 Update10522

Zohocorp ≫ Manageengine Servicedesk Plus Msp Version10.5 Update10523

Zohocorp ≫ Manageengine Servicedesk Plus Msp Version10.5 Update10524

Zohocorp ≫ Manageengine Servicedesk Plus Msp Version10.5 Update10525

Zohocorp ≫ Manageengine Servicedesk Plus Msp Version10.5 Update10526

Zohocorp ≫ Manageengine Servicedesk Plus Msp Version10.5 Update10527

Zohocorp ≫ Manageengine Servicedesk Plus Msp Version10.5 Update10528

Zohocorp ≫ Manageengine Servicedesk Plus Msp Version10.5 Update10529

Zohocorp ≫ Manageengine Supportcenter Plus Version <= 11.0

Zohocorp ≫ Manageengine Supportcenter Plus Version11.0 Update11000

Zohocorp ≫ Manageengine Supportcenter Plus Version11.0 Update11001

Zohocorp ≫ Manageengine Supportcenter Plus Version11.0 Update11002

Zohocorp ≫ Manageengine Supportcenter Plus Version11.0 Update11003

Zohocorp ≫ Manageengine Supportcenter Plus Version11.0 Update11004

Zohocorp ≫ Manageengine Supportcenter Plus Version11.0 Update11005

Zohocorp ≫ Manageengine Supportcenter Plus Version11.0 Update11006

Zohocorp ≫ Manageengine Supportcenter Plus Version11.0 Update11007

Zohocorp ≫ Manageengine Supportcenter Plus Version11.0 Update11008

Zohocorp ≫ Manageengine Supportcenter Plus Version11.0 Update11009

Zohocorp ≫ Manageengine Supportcenter Plus Version11.0 Update11010

Zohocorp ≫ Manageengine Supportcenter Plus Version11.0 Update11011

Zohocorp ≫ Manageengine Supportcenter Plus Version11.0 Update11012

Zohocorp ≫ Manageengine Supportcenter Plus Version11.0 Update11013

01.12.2021: CISA Known Exploited Vulnerabilities (KEV) Catalog

Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability

Vulnerability

Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution

Description

Apply updates per vendor instructions.

Required actions

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	94.33%	0.999

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

http://packetstormsecurity.com/files/165400/ManageEngine-ServiceDesk-Plus-Remote-Code-Execution.html

Third Party Advisory

Exploit

VDB Entry

https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-authentication-bypass-vulnerability-in-servicedesk-plus-versions-11138-and-above

Patch

Vendor Advisory

https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-servicedesk-plus-msp-versions-10527-till-10529

Vendor Advisory

https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-servicedesk-plus-versions-up-to-11305-22-11-2021

Vendor Advisory

https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-supportcenter-plus-versions-11012-and-11013

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-44077

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-44077

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-44077

EUVD