cbcvebase.
CVE-2021-20081
published 2021-06-10

CVE-2021-20081: Incomplete List of Disallowed Inputs in ManageEngine ServiceDesk Plus before version 11205 allows a remote, authenticated attacker to execute arbitrary…

PriorityP261high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
52.42%
98.8th percentile
Incomplete List of Disallowed Inputs in ManageEngine ServiceDesk Plus before version 11205 allows a remote, authenticated attacker to execute arbitrary commands with SYSTEM privileges.

Affected

3 ranges
VendorProductVersion rangeFixed in
zohocorpmanageengine_servicedesk_plus< 11.211.2
zohocorpmanageengine_servicedesk_plus
zohocorpmanageengine_servicedesk_plus

Detection & IOCsextracted from sources · hover to see the quote

url/api/v3/custom_schedules
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Zoho ManageEngine ServiceDesk Plus Custom Schedules Arbitrary Command Execution (CVE-2021-20081)"; flow:established,to_server; http.uri; content:"/api/v3/custom_schedules"; fast_pattern; http.request_body; content:"executor_type"; content:"script"; within:20; reference:url,www.tenable.com/security/research/tra-2021-22; reference:cve,2021-20081; classtype:web-application-attack; sid:2066202; rev:1; metadata:affected_product Zoho_ManageEngine, attack_target Server, tls_state TLSDecrypt, created_at 2025_12_09, cve CVE_2021_20081, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_12_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit traffic targets the HTTP URI path /api/v3/custom_schedules via POST to the server (flow: established, to_server).
  • The HTTP request body must contain both the string 'executor_type' and the string 'script' within 20 bytes of each other — this combination is the key payload indicator for the command injection attempt.
  • The vulnerability is exploitable by a remote, authenticated attacker and results in arbitrary command execution with SYSTEM privileges — authentication bypass or stolen credentials may precede exploitation.
  • Affects ManageEngine ServiceDesk Plus before version 11205; alert on any observed version below this threshold.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.