Cyber Resilience

CVE-2021-37415

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 01 September 2021

Published
01 September 2021
Modified
31 October 2025
KEV Added
01 December 2021
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9276 99.8th percentile
Risk Priority 95 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-37415 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Zohocorp Manageengine Servicedesk Plus. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

Zoho ManageEngine ServiceDesk Plus versions prior to 11302 contain an authentication bypass vulnerability that exposes a limited set of REST-API URLs without requiring any credentials. The flaw is tracked as CWE-306 and carries a CVSS 3.1 base score of 9.8 reflecting network-accessible attack vectors with no prerequisites.

Unauthenticated remote attackers can invoke the affected API endpoints to interact with the application in ways normally restricted to authenticated users, resulting in potential full compromise of confidentiality, integrity, and availability of the ServiceDesk Plus instance.

Vendor release notes for build 11302 document the correction of the issue, and the vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation.

EU & UK References

Vulnerability details

Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication.

CWE(s)
KEV Date Added
01 December 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

zohocorp
manageengine servicedesk plus
11.0, 11.1, 11.2, 11.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication and authorization checks on all REST-API endpoints, blocking the unauthenticated access that the CVE exposes.

prevent

Requires successful identification and authentication before any system access, eliminating the authentication-bypass condition described in the CVE.

prevent

Explicitly identifies and limits the few permitted actions that may occur without identification or authentication, preventing exposure of the affected REST-API URLs.

References