CVE-2021-20081
published 2021-06-10CVE-2021-20081: Incomplete List of Disallowed Inputs in ManageEngine ServiceDesk Plus before version 11205 allows a remote, authenticated attacker to execute arbitrary…
PriorityP261high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
52.42%
98.8th percentile
Incomplete List of Disallowed Inputs in ManageEngine ServiceDesk Plus before version 11205 allows a remote, authenticated attacker to execute arbitrary commands with SYSTEM privileges.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | manageengine_servicedesk_plus | < 11.2 | 11.2 |
| zohocorp | manageengine_servicedesk_plus | — | — |
| zohocorp | manageengine_servicedesk_plus | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/api/v3/custom_schedules
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Zoho ManageEngine ServiceDesk Plus Custom Schedules Arbitrary Command Execution (CVE-2021-20081)"; flow:established,to_server; http.uri; content:"/api/v3/custom_schedules"; fast_pattern; http.request_body; content:"executor_type"; content:"script"; within:20; reference:url,www.tenable.com/security/research/tra-2021-22; reference:cve,2021-20081; classtype:web-application-attack; sid:2066202; rev:1; metadata:affected_product Zoho_ManageEngine, attack_target Server, tls_state TLSDecrypt, created_at 2025_12_09, cve CVE_2021_20081, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_12_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit traffic targets the HTTP URI path /api/v3/custom_schedules via POST to the server (flow: established, to_server).
- →The HTTP request body must contain both the string 'executor_type' and the string 'script' within 20 bytes of each other — this combination is the key payload indicator for the command injection attempt.
- →The vulnerability is exploitable by a remote, authenticated attacker and results in arbitrary command execution with SYSTEM privileges — authentication bypass or stolen credentials may precede exploitation. ↗
- →Affects ManageEngine ServiceDesk Plus before version 11205; alert on any observed version below this threshold. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Zoho ManageEngine ServiceDesk Plus Custom Schedules Arbitrary Command Execution (CVE-2021-20081)
suricata·2025-12-09·CVSS 7.2
CVE-2021-20081 [HIGH] ET WEB_SPECIFIC_APPS Zoho ManageEngine ServiceDesk Plus Custom Schedules Arbitrary Command Execution (CVE-2021-20081)
ET WEB_SPECIFIC_APPS Zoho ManageEngine ServiceDesk Plus Custom Schedules Arbitrary Command Execution (CVE-2021-20081)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Zoho ManageEngine ServiceDesk Plus Custom Schedules Arbitrary Command Execution (CVE-2021-20081)"; flow:established,to_server; http.uri; content:"/api/v3/custom_schedules"; fast_pattern; http.request_body; content:"executor_type"; content:"script"; within:20; reference:url,www.tenable.com/security/research/tra-2021-22; reference:cve,2021-20081; classtype:web-application-attack; sid:2066202; rev:1; metadata:affected_product Zoho_ManageEngine, attack_target Server, tls_state TLSDecrypt, created_at 2025_12_09, cve CVE_2021_20081, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Hi
No public exploits indexed.
No writeups or analysis indexed.
2021-06-10
Published