← back
CVE-2021-44077

CVE-2021-44077

CVSS 9.8 CRITICALEPSS 93.5%● KEVCWE-306
In short

Zoho ManageEngine ServiceDesk Plus and related products allow attackers to run malicious code on the server without needing to log in. This happens through a flaw in how the application handles REST API requests, putting all data and systems at serious risk.

Technical detail

Unauthenticated remote code execution vulnerability exists in the /RestAPI servlet endpoint due to improper access controls in the Struts framework configuration, specifically in the ImportTechnicians action. An attacker can exploit this without authentication to execute arbitrary code with server privileges, affecting ServiceDesk Plus (<11306), ServiceDesk Plus MSP (<10530), and SupportCenter Plus (<11014).

Summary generated and translated by AI from the official description.
Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/a
public PoCs found3
githubgithub.com/horizon3ai/CVE-2021-4407736githubgithub.com/pizza-power/Golang-CVE-2021-44077-POC2cve_referencepacketstormsecurity.com/files/165400/ManageEngine-ServiceDesk-Plus-Remote-Code-Execution.htmlunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/165400/ManageEngine-ServiceDesk-Plus-Remote-Code-Execution.htmlhttps://pitstop.manageengine.com/portal/en/community/topic/security-advisory-authentication-bypass-vulnerability-in-servicedesk-plus-versions-11138-and-abovehttps://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-servicedesk-plus-msp-versions-10527-till-10529https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-servicedesk-plus-versions-up-to-11305-22-11-2021https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-supportcenter-plus-versions-11012-and-11013https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-44077