CVE-2021-37415
Published: 01 September 2021
Summary
CVE-2021-37415 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Zohocorp Manageengine Servicedesk Plus. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
Zoho ManageEngine ServiceDesk Plus versions prior to 11302 contain an authentication bypass vulnerability that exposes a limited set of REST-API URLs without requiring any credentials. The flaw is tracked as CWE-306 and carries a CVSS 3.1 base score of 9.8 reflecting network-accessible attack vectors with no prerequisites.
Unauthenticated remote attackers can invoke the affected API endpoints to interact with the application in ways normally restricted to authenticated users, resulting in potential full compromise of confidentiality, integrity, and availability of the ServiceDesk Plus instance.
Vendor release notes for build 11302 document the correction of the issue, and the vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-23980
Vulnerability details
Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication.
- CWE(s)
- KEV Date Added
- 01 December 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication and authorization checks on all REST-API endpoints, blocking the unauthenticated access that the CVE exposes.
Requires successful identification and authentication before any system access, eliminating the authentication-bypass condition described in the CVE.
Explicitly identifies and limits the few permitted actions that may occur without identification or authentication, preventing exposure of the affected REST-API URLs.