CVE-2021-44077
Published: 29 November 2021
Summary
CVE-2021-44077 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Zohocorp Manageengine Servicedesk Plus Msp. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-8 (Identification and Authentication (Non-organizational Users)).
Deeper analysis
Zoho ManageEngine ServiceDesk Plus versions before 11306, ServiceDesk Plus MSP versions before 10530, and SupportCenter Plus versions before 11014 are affected by an unauthenticated remote code execution vulnerability. The flaw is associated with /RestAPI endpoints in a servlet and the ImportTechnicians configuration entry in Struts, and it is tracked under CWE-306 for missing authentication of a critical function. It received a CVSS 3.1 base score of 9.8.
An unauthenticated attacker with network access can invoke the affected REST API paths to execute arbitrary code on the underlying server, resulting in full compromise of confidentiality, integrity, and availability without any user interaction.
Vendor security advisories direct administrators to apply the patched releases (ServiceDesk Plus 11306, ServiceDesk Plus MSP 10530, and SupportCenter Plus 11014) and reference corresponding bulletins that detail the authentication bypass and remote code execution issues.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-30936
Vulnerability details
Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration.
- CWE(s)
- KEV Date Added
- 01 December 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces approved authorizations on the /RestAPI servlet endpoints, blocking the unauthenticated access that enables RCE.
Requires identification and authentication of non-organizational users before allowing access to critical functions such as ImportTechnicians.
Mandates timely remediation of the identified flaw via the vendor-supplied patches (11306/10530/11014) that restore proper authentication.