Cyber Resilience

CVE-2021-44077

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 29 November 2021

Published
29 November 2021
Modified
31 October 2025
KEV Added
01 December 2021
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9430 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-44077 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Zohocorp Manageengine Servicedesk Plus Msp. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-8 (Identification and Authentication (Non-organizational Users)).

Deeper analysis

Zoho ManageEngine ServiceDesk Plus versions before 11306, ServiceDesk Plus MSP versions before 10530, and SupportCenter Plus versions before 11014 are affected by an unauthenticated remote code execution vulnerability. The flaw is associated with /RestAPI endpoints in a servlet and the ImportTechnicians configuration entry in Struts, and it is tracked under CWE-306 for missing authentication of a critical function. It received a CVSS 3.1 base score of 9.8.

An unauthenticated attacker with network access can invoke the affected REST API paths to execute arbitrary code on the underlying server, resulting in full compromise of confidentiality, integrity, and availability without any user interaction.

Vendor security advisories direct administrators to apply the patched releases (ServiceDesk Plus 11306, ServiceDesk Plus MSP 10530, and SupportCenter Plus 11014) and reference corresponding bulletins that detail the authentication bypass and remote code execution issues.

EU & UK References

Vulnerability details

Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration.

CWE(s)
KEV Date Added
01 December 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

zohocorp
manageengine servicedesk plus
11.1, 11.2, 11.3 · ≤ 11.1
zohocorp
manageengine servicedesk plus msp
10.5 · ≤ 10.5
zohocorp
manageengine supportcenter plus
11.0 · ≤ 11.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved authorizations on the /RestAPI servlet endpoints, blocking the unauthenticated access that enables RCE.

prevent

Requires identification and authentication of non-organizational users before allowing access to critical functions such as ImportTechnicians.

prevent

Mandates timely remediation of the identified flaw via the vendor-supplied patches (11306/10530/11014) that restore proper authentication.

References