cbcvebase.
CVE-2021-37415
published 2021-09-01

CVE-2021-37415: Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication.

PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2021-12-15
Exploited in the wild
EPSS
99.85%
100.0th percentile
Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication.

Affected

4 ranges
VendorProductVersion rangeFixed in
zohocorpmanageengine_servicedesk_plus
zohocorpmanageengine_servicedesk_plus
zohocorpmanageengine_servicedesk_plus
zohocorpmanageengine_servicedesk_plus

Detection & IOCsextracted from sources · hover to see the quote

pathD:\ManageEngine\ServiceDesk\bin\msiexec.exe
filenamemsiexec.exe
url/api/v3/{{randbase(8)}}/../announcements
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Zoho ManageEngine ServiceDesk Plus Authentication Bypass (CVE-2021-37415)"; flow:established,to_server; http.uri; content:"/app/"; startswith; content:"/api/v3/requests"; fast_pattern; http.header; to_lowercase; content:!"authorization|3a 20|"; reference:url,nvd.nist.gov/vuln/detail/CVE-2021-37415; reference:cve,2021-37415; classtype:web-application-attack; sid:2066201; rev:2; metadata:affected_product Zoho_ManageEngine, attack_target Server, tls_state TLSDecrypt, created_at 2025_12_09, cve CVE_2021_37415, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Exploit, updated_at 2025_12_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit sends unauthenticated GET requests to the ServiceDesk REST API using a path-traversal pattern (e.g., /api/v3/<random>/../announcements) with no Authorization header present.
  • Successful exploitation returns HTTP 200 with a JSON body containing the fields 'status_code':2000, 'has_more_rows', and 'start_index' with Content-Type application/json — use these as confirmation matchers.
  • Network detection: look for HTTP requests to /app/.*/api/v3/requests URI path that lack an Authorization header — this is the unauthenticated REST API access pattern for CVE-2021-37415.
  • Post-exploitation: presence of msiexec.exe dropped at D:\ManageEngine\ServiceDesk\bin\msiexec.exe is a strong indicator of compromise — this path is not used by the legitimate Windows msiexec.exe.
  • The malicious dropper masquerades as msiexec.exe and is executed via the ServiceDesk application's Site24x7 installation command; monitor for msiexec.exe processes spawned from ManageEngine ServiceDesk service context with arguments '/i Site24x7WindowsAgent.msi EDITA1= /qn'.
  • The dropper deploys a Godzilla webshell for persistence; hunt for webshell artifacts in the ManageEngine ServiceDesk Plus web directory following exploitation.
  • Shodan/FOFA queries can identify exposed vulnerable instances for asset inventory: shodan-query 'http.title:"manageengine servicedesk plus"', fofa-query 'title="manageengine servicedesk plus"'.
  • ·The authentication bypass affects only ServiceDesk Plus versions before 11302; versions 11306 and above are not vulnerable to the related CVE-2021-44077 either. Ensure version checks in detections account for this boundary.
  • ·The Snort/ET rule (sid:2066201) requires TLS decryption (tls_state TLSDecrypt) to be effective in encrypted traffic environments; deploy with SSLDecrypt or at a TLS-terminating perimeter.
  • ·The PDB debug path 'sd11301.pdb' indicates the malicious dropper was specifically compiled to target ServiceDesk Plus versions 11301 and below; samples targeting higher sub-versions may differ.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.