CVE-2021-37415
published 2021-09-01CVE-2021-37415: Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication.
PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2021-12-15
Exploited in the wild
EPSS
99.85%
100.0th percentile
Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | manageengine_servicedesk_plus | — | — |
| zohocorp | manageengine_servicedesk_plus | — | — |
| zohocorp | manageengine_servicedesk_plus | — | — |
| zohocorp | manageengine_servicedesk_plus | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/api/v3/{{randbase(8)}}/../announcements
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Zoho ManageEngine ServiceDesk Plus Authentication Bypass (CVE-2021-37415)"; flow:established,to_server; http.uri; content:"/app/"; startswith; content:"/api/v3/requests"; fast_pattern; http.header; to_lowercase; content:!"authorization|3a 20|"; reference:url,nvd.nist.gov/vuln/detail/CVE-2021-37415; reference:cve,2021-37415; classtype:web-application-attack; sid:2066201; rev:2; metadata:affected_product Zoho_ManageEngine, attack_target Server, tls_state TLSDecrypt, created_at 2025_12_09, cve CVE_2021_37415, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Exploit, updated_at 2025_12_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit sends unauthenticated GET requests to the ServiceDesk REST API using a path-traversal pattern (e.g., /api/v3/<random>/../announcements) with no Authorization header present.
- →Successful exploitation returns HTTP 200 with a JSON body containing the fields 'status_code':2000, 'has_more_rows', and 'start_index' with Content-Type application/json — use these as confirmation matchers.
- →Network detection: look for HTTP requests to /app/.*/api/v3/requests URI path that lack an Authorization header — this is the unauthenticated REST API access pattern for CVE-2021-37415.
- →Post-exploitation: presence of msiexec.exe dropped at D:\ManageEngine\ServiceDesk\bin\msiexec.exe is a strong indicator of compromise — this path is not used by the legitimate Windows msiexec.exe. ↗
- →The malicious dropper masquerades as msiexec.exe and is executed via the ServiceDesk application's Site24x7 installation command; monitor for msiexec.exe processes spawned from ManageEngine ServiceDesk service context with arguments '/i Site24x7WindowsAgent.msi EDITA1= /qn'. ↗
- →The dropper deploys a Godzilla webshell for persistence; hunt for webshell artifacts in the ManageEngine ServiceDesk Plus web directory following exploitation. ↗
- →Shodan/FOFA queries can identify exposed vulnerable instances for asset inventory: shodan-query 'http.title:"manageengine servicedesk plus"', fofa-query 'title="manageengine servicedesk plus"'.
- ·The authentication bypass affects only ServiceDesk Plus versions before 11302; versions 11306 and above are not vulnerable to the related CVE-2021-44077 either. Ensure version checks in detections account for this boundary. ↗
- ·The Snort/ET rule (sid:2066201) requires TLS decryption (tls_state TLSDecrypt) to be effective in encrypted traffic environments; deploy with SSLDecrypt or at a TLS-terminating perimeter.
- ·The PDB debug path 'sd11301.pdb' indicates the malicious dropper was specifically compiled to target ServiceDesk Plus versions 11301 and below; samples targeting higher sub-versions may differ. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wf6j-6x58-69fg: Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication
ghsa_unreviewed·2022-05-24
CVE-2021-37415 [CRITICAL] CWE-287 GHSA-wf6j-6x58-69fg: Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication
Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication.
VulnCheck
Zoho ManageEngine ServiceDesk Authentication Bypass Vulnerability
vulncheck·2021·CVSS 9.8
CVE-2021-37415 [CRITICAL] CWE-306 Zoho ManageEngine ServiceDesk Authentication Bypass Vulnerability
Zoho ManageEngine ServiceDesk Authentication Bypass Vulnerability
Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication
Affected: Zoho ManageEngine ServiceDesk Plus (SDP)
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2021-12-15
CISA
Zoho ManageEngine ServiceDesk Authentication Bypass Vulnerability
cisa·2021-12-01·CVSS 9.8
CVE-2021-37415 [CRITICAL] CWE-306 Zoho ManageEngine ServiceDesk Authentication Bypass Vulnerability
Vulnerability: Zoho ManageEngine ServiceDesk Authentication Bypass Vulnerability
Affected: Zoho ManageEngine ServiceDesk Plus (SDP)
Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-37415
Remediation Due Date: 2021-12-15
Suricata
ET WEB_SPECIFIC_APPS Zoho ManageEngine ServiceDesk Plus Authentication Bypass (CVE-2021-37415)
suricata·2025-12-09·CVSS 9.8
CVE-2021-37415 [CRITICAL] ET WEB_SPECIFIC_APPS Zoho ManageEngine ServiceDesk Plus Authentication Bypass (CVE-2021-37415)
ET WEB_SPECIFIC_APPS Zoho ManageEngine ServiceDesk Plus Authentication Bypass (CVE-2021-37415)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Zoho ManageEngine ServiceDesk Plus Authentication Bypass (CVE-2021-37415)"; flow:established,to_server; http.uri; content:"/app/"; startswith; content:"/api/v3/requests"; fast_pattern; http.header; to_lowercase; content:!"authorization|3a 20|"; reference:url,nvd.nist.gov/vuln/detail/CVE-2021-37415; reference:cve,2021-37415; classtype:web-application-attack; sid:2066201; rev:2; metadata:affected_product Zoho_ManageEngine, attack_target Server, tls_state TLSDecrypt, created_at 2025_12_09, cve CVE_2021_37415, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Exploit,
Nuclei
Zoho ManageEngine ServiceDesk Plus - Authentication Bypass
nuclei·CVSS 9.8
CVE-2021-37415 [CRITICAL] Zoho ManageEngine ServiceDesk Plus - Authentication Bypass
Zoho ManageEngine ServiceDesk Plus - Authentication Bypass
Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication.
Template:
id: CVE-2021-37415
info:
name: Zoho ManageEngine ServiceDesk Plus - Authentication Bypass
author: daffainfo,jjcho
severity: critical
description: |
Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication.
remediation: |
Update to version 11302 or later.
impact: |
Attackers can access sensitive functionalities and data without authentication, potentially leading to data disclosure or unauthorized actions.
reference:
- https://www.manageengine.com/products/service-desk/on-premises/readme.html#11
Tenable
CVE-2022-47523: ManageEngine Password Manager Pro, PAM360 and Access Manager Plus SQL Injection Vulnerability
blogs_tenable·2023-01-05·CVSS 9.8
[CRITICAL] CVE-2022-47523: ManageEngine Password Manager Pro, PAM360 and Access Manager Plus SQL Injection Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Unit42
APT Expands Attack on ManageEngine With Active Campaign Against ServiceDesk Plus
blogs_unit42·2021-12-02
APT Expands Attack on ManageEngine With Active Campaign Against ServiceDesk Plus
## Executive Summary
Over the course of three months, a persistent and determined APT actor has launched multiple campaigns which have now resulted in compromises to at least 4 additional organizations, for a total of 13. Beginning on Sept. 16, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an alert warning that advanced persistent threat (APT) actors were actively exploiting newly identified vulnerabilities in a self-service password management and single sign-on solution known as ManageEngine ADSelfService Plus. Building upon the findings of that initial report, on Nov. 7, Unit 42 disclosed a second, more sophisticated, active and difficult-to-detect campaign that had resulted in the compromise of at least nine organizations.
As an update to our initial
Unit42
APT Expands Attack on ManageEngine With Active Campaign Against ServiceDesk Plus
blogs_unit42·2021-12-02
APT Expands Attack on ManageEngine With Active Campaign Against ServiceDesk Plus
Threat Research Center
Threat Research
Cybercrime
## APT Expands Attack on ManageEngine With Active Campaign Against ServiceDesk Plus
Robert Falcone
Peter Renals
Published: December 2, 2021
Cybercrime
Threat Research
Advanced Persistent Threat
Godzilla webshell
ServiceDesk Plus
TiltedTemple
Zoho ManageEngine
## Executive Summary
Over the course of three months, a persistent and determined APT actor has launched multiple campaigns which have now resulted in compromises to at least 4 additional organizations, for a total of 13. Beginning on Sept. 16, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an alert warning that advanced persistent threat (APT) actors were actively exploiting newly identified vulnerabilities in a self-service password
CWE
Missing Authentication for Critical Function
mitre_cwe
CWE-306 Missing Authentication for Critical Function
CWE-306: Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Modes of Introduction:
Phase: Architecture and Design
Note: OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase.
Phase: Architecture and Design
Note: Developers sometimes perform authentication at the primary channel, but open up a secondary channel that is assumed to be private. For example, a login mechanism may be listening on one network port, but after successful authentication, it may open up a second port where it waits for the connection, but avoids authentication because it assumes that only the authenticated party will conne
CWE
Improper Authentication
mitre_cwe
CWE-287 Improper Authentication
CWE-287: Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Modes of Introduction:
Phase: Architecture and Design
Phase: Implementation
Note: REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Common Consequences:
Scope: Integrity, Confidentiality, Availability, Access Control. Impact: Read Application Data, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands. This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.
Detection Methods:
Automated Static Analysis: Automated static analysis is useful for de
CWE
Improper Access Control
mitre_cwe
CWE-284 Improper Access Control
CWE-284: Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Access control involves the use of several protection mechanisms such as: Authentication (proving the identity of an actor) Authorization (ensuring that a given actor can access a resource), and Accountability (tracking of activities that were performed) When any mechanism is not applied or otherwise fails, attackers can compromise the security of the product by gaining privileges, reading sensitive information, executing commands, evading detection, etc. There are two distinct behaviors that can introduce access control weaknesses: Specification: incorrect privileges, permissions, ownership, etc. are explicitly specified for either the user or the reso
https://www.manageengine.comhttps://www.manageengine.com/products/service-desk/on-premises/readme.html#11302https://www.manageengine.comhttps://www.manageengine.com/products/service-desk/on-premises/readme.html#11302https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-37415
2021-09-01
Published
2021-12-01
Added to CISA KEV
Exploited in the wild