Vulnerability Details : CVE-2021-44515

Zoho ManageEngine Desktop Central is vulnerable to authentication bypass, leading to remote code execution on the server, as exploited in the wild in December 2021. For Enterprise builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For Enterprise builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3. For MSP builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For MSP builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3.

Vulnerability category: Execute code

Published 2021-12-12 05:15:08

Updated 2022-07-12 17:42:04

Source MITRE

View at NVD, CVE.org

CVE-2021-44515 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:

Zoho Desktop Central Authentication Bypass Vulnerability

CISA required action:

Apply updates per vendor instructions.

CISA description:

Zoho Desktop Central contains an authentication bypass vulnerability that could allow an attacker to execute arbitrary code in the Desktop Central MSP server.

Added on 2021-12-10 Action due date 2021-12-24

Exploit prediction scoring system (EPSS) score for CVE-2021-44515

Probability of exploitation activity in the next 30 days: 97.49%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 100 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2021-44515

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
10.0	HIGH	AV:N/AC:L/Au:N/C:C/I:C/A:C	10.0	10.0	[email protected]
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	[email protected]
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

References for CVE-2021-44515

https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/cisa-adds-thirteen-known-exploited-vulnerabilities-catalog

Third Party Advisory;US Government Resource
https://www.manageengine.com/products/desktop-central/cve-2021-44515-authentication-bypass-filter-configuration.html

Exploit;Patch;Vendor Advisory
https://pitstop.manageengine.com/portal/en/community/topic/an-authentication-bypass-vulnerability-identified-and-fixed-in-desktop-central-and-desktop-central-msp

Issue Tracking;Vendor Advisory

Products affected by CVE-2021-44515

Zohocorp » Manageengine Desktop Central » Managed Service Providers Edition
Versions from including (>=) 10.1.2128.0 and before (<) 10.1.2137.3
cpe:2.3:a:zohocorp:manageengine_desktop_central:*:*:*:*:managed_service_providers:*:*:*
Matching versions
Zohocorp » Manageengine Desktop Central » Enterprise Edition
Versions from including (>=) 10.1.2128.0 and up to, including, (<=) 10.1.2137.3
cpe:2.3:a:zohocorp:manageengine_desktop_central:*:*:*:*:enterprise:*:*:*
Matching versions
Zohocorp » Manageengine Desktop Central » Enterprise Edition
Versions before (<) 10.1.2127.18
cpe:2.3:a:zohocorp:manageengine_desktop_central:*:*:*:*:enterprise:*:*:*
Matching versions
Zohocorp » Manageengine Desktop Central » Managed Service Providers Edition
Versions before (<) 10.1.2127.18
cpe:2.3:a:zohocorp:manageengine_desktop_central:*:*:*:*:managed_service_providers:*:*:*
Matching versions