Security News > 2021 > December > Determined APT is exploiting ManageEngine ServiceDesk Plus vulnerability (CVE-2021-44077)

An APT group is leveraging a critical vulnerability in Zoho ManageEngine ServiceDesk Plus to compromise organizations in a variety of sectors, including defense and tech.

CVE-2021-44077 is an authentication bypass vulnerability that affects ManageEngine ServiceDesk Plus installations using versions 11305 and earlier.

The source of the vulnerability is an improper security configuration process used in ServiceDesk Plus, and it allows attackers to gain unauthorized access to the application's data through a few of its application URLs.

Palo Alto Networks' Unit 42 has tied the activity to a "Persistent and determined APT actor" that has first used a zero-day vulnerability in ADSelfService in August and September, then switched to exploiting another vulnerability affecting the same software in September and October, and is now leveraging CVE-2021-44077 in the ServiceDesk Plus software.

"Over the past three months, at least 13 organizations across the technology, energy, healthcare, education, finance and defense industries have been compromised. Of the four new victims, two were compromised through vulnerable ADSelfService Plus servers while two were compromised through ServiceDesk Plus software. We anticipate that this number will climb as the actor continues to conduct reconnaissance activities against these industries and others, including infrastructure associated with five U.S. states."

Unit 42's scanning for internet-facing instances of ManageEngine ServiceDesk Plus has revealed over 4,700 installations, 2,900 of which are vulnerable to exploitation.

News URL

https://www.helpnetsecurity.com/2021/12/03/cve-2021-44077/