Security News > 2022 > January > Critical ManageEngine Desktop Server Bug Opens Orgs to Malware

A critical security vulnerability in the Zoho ManageEngine Desktop Central and Desktop Central MSP platforms could allow authentication bypass, the company has warned.
Zoho's ManageEngine Desktop Central is a unified endpoint management solution that lets IT admins manage servers, laptops, desktops, smartphones and tablets from a central location.
The ability to install a.ZIP file paves the way for the installation of malware on all of the endpoints managed by the Desktop Central instance.
Cybercriminals can simply compromise one MSP's Desktop Central MSP edition and potentially gain access to the customers whose footprints are being managed using it, depending on security measures the provider has put in place.
This played out in September when a critical security vulnerability in the Zoho ManageEngine ADSelfService Plus platform was patched; it could allow remote attackers to bypass authentication and have free rein across users' Active Directory and cloud accounts.
That bug could allow remote attackers to override legitimate functions of servers running ManageEngine Desktop Central and to elevate privileges - with an ultimate goal of dropping malware onto organizations' networks.
News URL
https://threatpost.com/critical-manageengine-desktop-server-bug-malware/177705/
Related news
- New Critical AMI BMC Vulnerability Enables Remote Server Takeover and Bricking (source)
- Critical AMI MegaRAC bug can let attackers hijack, brick servers (source)
- Recent Windows Server 2025 updates cause Remote Desktop freezes (source)
- Outlaw Group Uses SSH Brute-Force to Deploy Cryptojacking Malware on Linux Servers (source)
- OPSEC Failure Exposes Coquettte’s Malware Campaigns on Bulletproof Hosting Servers (source)
- Critical Ivanti Flaw Actively Exploited to Deploy TRAILBLAZE and BRUSHFIRE Malware (source)
- Police detains Smokeloader malware customers, seizes servers (source)
- Critical flaws fixed in Nagios Log Server (source)
- Oh, cool. Microsoft melts bug that froze Server 2025 Remote Desktop sessions (source)