Security News > 2021 > December > Determined APT is exploiting ManageEngine ServiceDesk Plus vulnerability (CVE-2021-44077)

Determined APT is exploiting ManageEngine ServiceDesk Plus vulnerability (CVE-2021-44077)
2021-12-03 10:34

An APT group is leveraging a critical vulnerability in Zoho ManageEngine ServiceDesk Plus to compromise organizations in a variety of sectors, including defense and tech.

CVE-2021-44077 is an authentication bypass vulnerability that affects ManageEngine ServiceDesk Plus installations using versions 11305 and earlier.

The source of the vulnerability is an improper security configuration process used in ServiceDesk Plus, and it allows attackers to gain unauthorized access to the application's data through a few of its application URLs.

Palo Alto Networks' Unit 42 has tied the activity to a "Persistent and determined APT actor" that has first used a zero-day vulnerability in ADSelfService in August and September, then switched to exploiting another vulnerability affecting the same software in September and October, and is now leveraging CVE-2021-44077 in the ServiceDesk Plus software.

"Over the past three months, at least 13 organizations across the technology, energy, healthcare, education, finance and defense industries have been compromised. Of the four new victims, two were compromised through vulnerable ADSelfService Plus servers while two were compromised through ServiceDesk Plus software. We anticipate that this number will climb as the actor continues to conduct reconnaissance activities against these industries and others, including infrastructure associated with five U.S. states."

Unit 42's scanning for internet-facing instances of ManageEngine ServiceDesk Plus has revealed over 4,700 installations, 2,900 of which are vulnerable to exploitation.


News URL

https://www.helpnetsecurity.com/2021/12/03/cve-2021-44077/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-11-29 CVE-2021-44077 Missing Authentication for Critical Function vulnerability in Zohocorp products
Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution.
network
low complexity
zohocorp CWE-306
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Manageengine 9 0 3 4 3 10