Security News > 2021 > December > Attackers exploit another zero-day in ManageEngine software (CVE-2021-44515)
A vulnerability in ManageEngine Desktop Central is being leveraged in attacks in the wild to gain access to server running the vulnerable software.
The issue is considered critical by the company and affects ManageEngine Desktop Central - a unified endpoint management solution - and ManageEngine Desktop Central MSP - endpoint management software for MSPs. If installations of the latter are compromised, attackers could use the access to compromise endpoints and networks of MSPs's client organizations.
ManageEngine has fixed the vulnerability and is advising customers to take action.
ManageEngine did not share the nature of the attacks.
It seems likely that attackers have created their own, as it apparently happened for an authentication bypass vulnerability in ManageEngine ServiceDesk Plus.
Researchers with Palo Alto Networks' Unit 42 have also urged MSPs to update their ManageEngine Password Manager Pro software, as they have found evidence the attackers might be preparing to leverage a known vulnerability affecting it.
News URL
https://www.helpnetsecurity.com/2021/12/07/cve-2021-44515/
Related news
- Botnet exploits GeoVision zero-day to install Mirai malware (source)
- Mystery Palo Alto Networks hijack-my-firewall zero-day now officially under exploit (source)
- Chinese hackers exploit Fortinet VPN zero-day to steal credentials (source)
- RomCom Exploits Zero-Day Firefox and Windows Flaws in Sophisticated Cyberattacks (source)
- Mitel MiCollab zero-day flaw gets proof-of-concept exploit (source)
- Mitel MiCollab zero-day and PoC exploit unveiled (source)