cbcvebase.
CVE-2021-44077
published 2021-11-29

CVE-2021-44077: Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated…

PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2021-12-15
Exploited in the wild
EPSS
93.51%
99.8th percentile
Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration.

Affected

8 ranges
VendorProductVersion rangeFixed in
zohocorpmanageengine_servicedesk_plus< 11.111.1
zohocorpmanageengine_servicedesk_plus
zohocorpmanageengine_servicedesk_plus
zohocorpmanageengine_servicedesk_plus
zohocorpmanageengine_servicedesk_plus_msp< 10.510.5
zohocorpmanageengine_servicedesk_plus_msp
zohocorpmanageengine_supportcenter_plus< 11.011.0
zohocorpmanageengine_supportcenter_plus

Detection & IOCsextracted from sources · hover to see the quote

hashecd8c9967b0127a12d6db61964a82970ee5d38f82618d5db4d8eddbb3b5726b7
pathD:\ManageEngine\ServiceDesk\bin\msiexec.exe
pathC:\Program Files\ManageEngine\SupportCenterPlus\bin\msiexec.exe
pathC:\Program Files\ManageEngine\SupportCenterPlus\Custom\Login\fm2.jsp
url/RestAPI/ImportTechnicians?step=1
ip2.58.56.14
ip185.220.101.76
filenamemsiexec.exe
filenamefm2.jsp
commandmsiexec.exe /i Site24x7WindowsAgent.msi EDITA1= /qn
urlhttps://server.example/custom/login/fm2.jsp?cmd=arp -a
  • Hunt for JSP webshell fm2.jsp written to the web-accessible path C:\Program Files\ManageEngine\SupportCenterPlus\Custom\Login\ and accessed via HTTP with a ?cmd= query parameter.
  • Use Palo Alto Networks Threat Prevention signature ID 91949 ('Zoho ManageEngine ServiceDesk Plus File Upload Vulnerability') to block inbound exploitation attempts.
  • Flag processes spawned by the ManageEngine ServiceDesk/SupportCenter application that execute 'msiexec.exe /i Site24x7WindowsAgent.msi EDITA1= /qn' — this is the trigger command used to launch the malicious dropper.
  • Look for PDB debug paths containing 'pwn' as the username (e.g., C:\Users\pwn\...) in dropped binaries — this artifact was consistent across multiple droppers in the TiltedTemple campaign.
  • For SockDetour (secondary backdoor used in TiltedTemple): detect anomalous TLS-like traffic (starting with bytes 17 03 03) arriving on non-TLS service ports without a preceding TLS handshake, as SockDetour hijacks existing TCP sockets to disguise C2 traffic.
  • Monitor Catalina/application logs on ManageEngine servers for StuckThreadDetectionValve warnings referencing /login/fm2.jsp, which indicate long-running webshell commands (e.g., tunneling scripts).
  • ·ServiceDesk Plus version 11306 and above are NOT vulnerable — Zoho released the patch on Sept. 16, 2021, three months before the CVE was publicly disclosed. Build 11305 is vulnerable to the authentication bypass but NOT the file upload component of the exploit.
  • ·The Metasploit module notes that build 11305 is vulnerable to the authentication bypass but not the file upload stage; the module checks for an exploitable build before proceeding.
  • ·Exploitation requires two sequential unauthenticated REST API requests; both must succeed for RCE — blocking either /RestAPI/ImportTechnicians or /RestAPI/s247action endpoints is sufficient to prevent exploitation.
  • ·As of early December 2021, no public proof-of-concept exploit code was known to exist; the APT actor is assessed to have independently developed the exploit.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.