Security News > 2022 > January > Critical ManageEngine Desktop Server Bug Opens Orgs to Malware
A critical security vulnerability in the Zoho ManageEngine Desktop Central and Desktop Central MSP platforms could allow authentication bypass, the company has warned.
Zoho's ManageEngine Desktop Central is a unified endpoint management solution that lets IT admins manage servers, laptops, desktops, smartphones and tablets from a central location.
The ability to install a.ZIP file paves the way for the installation of malware on all of the endpoints managed by the Desktop Central instance.
Cybercriminals can simply compromise one MSP's Desktop Central MSP edition and potentially gain access to the customers whose footprints are being managed using it, depending on security measures the provider has put in place.
This played out in September when a critical security vulnerability in the Zoho ManageEngine ADSelfService Plus platform was patched; it could allow remote attackers to bypass authentication and have free rein across users' Active Directory and cloud accounts.
That bug could allow remote attackers to override legitimate functions of servers running ManageEngine Desktop Central and to elevate privileges - with an ultimate goal of dropping malware onto organizations' networks.
News URL
https://threatpost.com/critical-manageengine-desktop-server-bug-malware/177705/
Related news
- Critical RCE bug in VMware vCenter Server now exploited in attacks (source)
- Critical Flaw in ProjectSend Under Active Exploitation Against Public-Facing Servers (source)
- New IOCONTROL malware used in critical infrastructure attacks (source)
- New critical Apache Struts flaw exploited to find vulnerable servers (source)
- Docker Desktop blocked on Macs due to false malware alert (source)