Vulnerability Details : CVE-2021-44515
Zoho ManageEngine Desktop Central is vulnerable to authentication bypass, leading to remote code execution on the server, as exploited in the wild in December 2021. For Enterprise builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For Enterprise builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3. For MSP builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For MSP builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3.
Vulnerability category: Execute code
Products affected by CVE-2021-44515
- Zohocorp » Manageengine Desktop Central » Managed Service Providers EditionVersions from including (>=) 10.1.2128.0 and before (<) 10.1.2137.3cpe:2.3:a:zohocorp:manageengine_desktop_central:*:*:*:*:managed_service_providers:*:*:*
- Zohocorp » Manageengine Desktop Central » Enterprise EditionVersions from including (>=) 10.1.2128.0 and up to, including, (<=) 10.1.2137.3cpe:2.3:a:zohocorp:manageengine_desktop_central:*:*:*:*:enterprise:*:*:*
- cpe:2.3:a:zohocorp:manageengine_desktop_central:*:*:*:*:enterprise:*:*:*
- Zohocorp » Manageengine Desktop Central » Managed Service Providers EditionVersions before (<) 10.1.2127.18cpe:2.3:a:zohocorp:manageengine_desktop_central:*:*:*:*:managed_service_providers:*:*:*
CVE-2021-44515 is in the CISA Known Exploited Vulnerabilities Catalog
CISA vulnerability name:
Zoho Desktop Central Authentication Bypass Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
Zoho Desktop Central contains an authentication bypass vulnerability that could allow an attacker to execute arbitrary code in the Desktop Central MSP server.
Notes:
https://nvd.nist.gov/vuln/detail/CVE-2021-44515
Added on
2021-12-10
Action due date
2021-12-24
Exploit prediction scoring system (EPSS) score for CVE-2021-44515
97.37%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-44515
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
10.0
|
HIGH | AV:N/AC:L/Au:N/C:C/I:C/A:C |
10.0
|
10.0
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
References for CVE-2021-44515
-
https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/cisa-adds-thirteen-known-exploited-vulnerabilities-catalog
CISA Adds Thirteen Known Exploited Vulnerabilities to Catalog | CISAThird Party Advisory;US Government Resource
-
https://www.manageengine.com/products/desktop-central/cve-2021-44515-authentication-bypass-filter-configuration.html
Authentication Bypass using Filter Configuration | ManageEngineExploit;Patch;Vendor Advisory
-
https://pitstop.manageengine.com/portal/en/community/topic/an-authentication-bypass-vulnerability-identified-and-fixed-in-desktop-central-and-desktop-central-msp
An authentication bypass vulnerability identified and fixed in Desktop Central and Desktop Central MSPIssue Tracking;Vendor Advisory
Jump to