CVE-2021-44077
published 2021-11-29CVE-2021-44077: Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated…
PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2021-12-15
Exploited in the wild
EPSS
93.51%
99.8th percentile
Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | manageengine_servicedesk_plus | < 11.1 | 11.1 |
| zohocorp | manageengine_servicedesk_plus | — | — |
| zohocorp | manageengine_servicedesk_plus | — | — |
| zohocorp | manageengine_servicedesk_plus | — | — |
| zohocorp | manageengine_servicedesk_plus_msp | < 10.5 | 10.5 |
| zohocorp | manageengine_servicedesk_plus_msp | — | — |
| zohocorp | manageengine_supportcenter_plus | < 11.0 | 11.0 |
| zohocorp | manageengine_supportcenter_plus | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Hunt for JSP webshell fm2.jsp written to the web-accessible path C:\Program Files\ManageEngine\SupportCenterPlus\Custom\Login\ and accessed via HTTP with a ?cmd= query parameter. ↗
- →Use Palo Alto Networks Threat Prevention signature ID 91949 ('Zoho ManageEngine ServiceDesk Plus File Upload Vulnerability') to block inbound exploitation attempts. ↗
- →Flag processes spawned by the ManageEngine ServiceDesk/SupportCenter application that execute 'msiexec.exe /i Site24x7WindowsAgent.msi EDITA1= /qn' — this is the trigger command used to launch the malicious dropper. ↗
- →Look for PDB debug paths containing 'pwn' as the username (e.g., C:\Users\pwn\...) in dropped binaries — this artifact was consistent across multiple droppers in the TiltedTemple campaign. ↗
- →For SockDetour (secondary backdoor used in TiltedTemple): detect anomalous TLS-like traffic (starting with bytes 17 03 03) arriving on non-TLS service ports without a preceding TLS handshake, as SockDetour hijacks existing TCP sockets to disguise C2 traffic. ↗
- →Monitor Catalina/application logs on ManageEngine servers for StuckThreadDetectionValve warnings referencing /login/fm2.jsp, which indicate long-running webshell commands (e.g., tunneling scripts). ↗
- ·ServiceDesk Plus version 11306 and above are NOT vulnerable — Zoho released the patch on Sept. 16, 2021, three months before the CVE was publicly disclosed. Build 11305 is vulnerable to the authentication bypass but NOT the file upload component of the exploit. ↗
- ·The Metasploit module notes that build 11305 is vulnerable to the authentication bypass but not the file upload stage; the module checks for an exploitable build before proceeding. ↗
- ·Exploitation requires two sequential unauthenticated REST API requests; both must succeed for RCE — blocking either /RestAPI/ImportTechnicians or /RestAPI/s247action endpoints is sufficient to prevent exploitation. ↗
- ·As of early December 2021, no public proof-of-concept exploit code was known to exist; the APT actor is assessed to have independently developed the exploit. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xm89-vxjx-jvcg: Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthentica
ghsa_unreviewed·2021-11-30
CVE-2021-44077 [CRITICAL] CWE-287 GHSA-xm89-vxjx-jvcg: Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthentica
Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration.
VulnCheck
Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability
vulncheck·2021·CVSS 9.8
CVE-2021-44077 [CRITICAL] CWE-306 Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability
Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability
Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution
Affected: Zoho ManageEngine ServiceDesk Plus (SDP) / SupportCenter Plus
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://cisa.gov/news-events/alerts/2021/12/02/cisa-and-fbi-release-alert-active-exploitation-cve-2021-44077-zoho; https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/; https://cisa.gov/news-events/cybersecurity-advisories/aa21-336a; https://go.crowdstrike.com/rs/281-OBQ-266/images/R
CISA
Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability
cisa·2021-12-01·CVSS 9.8
CVE-2021-44077 [CRITICAL] CWE-306 Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability
Vulnerability: Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability
Affected: Zoho ManageEngine ServiceDesk Plus (SDP) / SupportCenter Plus
Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-44077
Remediation Due Date: 2021-12-15
Suricata
ET EXPLOIT [CISA AA21-336A] Zoho ManageEngine ServiceDesk Possible Exploitation Activity (CVE-2021-44077)
suricata·2021-12-03·CVSS 9.8
CVE-2021-44077 [CRITICAL] ET EXPLOIT [CISA AA21-336A] Zoho ManageEngine ServiceDesk Possible Exploitation Activity (CVE-2021-44077)
ET EXPLOIT [CISA AA21-336A] Zoho ManageEngine ServiceDesk Possible Exploitation Activity (CVE-2021-44077)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT [CISA AA21-336A] Zoho ManageEngine ServiceDesk Possible Exploitation Activity (CVE-2021-44077)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/RestAPI/ImportTechnicians"; fast_pattern; http.request_body; content:"filename=|22|msiexec.exe|22|"; reference:url,us-cert.cisa.gov/ncas/alerts/aa21-336a; reference:cve,2021-44077; reference:url,attackerkb.com/topics/qv2aD8YfMN/cve-2021-44077/rapid7-analysis; classtype:attempted-admin; sid:2034577; rev:2; metadata:attack_target Server, created_at 2021_12_03, cve CVE_2021_44077, deployment Perimeter, deployment Internal, confidence Medium, s
Metasploit
ManageEngine ServiceDesk Plus CVE-2021-44077
metasploit·CVSS 9.8
CVE-2021-44077 [CRITICAL] ManageEngine ServiceDesk Plus CVE-2021-44077
ManageEngine ServiceDesk Plus CVE-2021-44077
This module exploits CVE-2021-44077, an unauthenticated remote code execution vulnerability in ManageEngine ServiceDesk Plus, to upload an EXE (msiexec.exe) and execute it as the SYSTEM account. Note that build 11305 is vulnerable to the authentication bypass but not the file upload. The module will check for an exploitable build.
Nuclei
Zoho ManageEngine ServiceDesk Plus - Remote Code Execution
nuclei·CVSS 9.8
CVE-2021-44077 [CRITICAL] Zoho ManageEngine ServiceDesk Plus - Remote Code Execution
Zoho ManageEngine ServiceDesk Plus - Remote Code Execution
Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution.
Template:
id: CVE-2021-44077
info:
name: Zoho ManageEngine ServiceDesk Plus - Remote Code Execution
author: Adam Crosser,gy741
severity: critical
description: Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
remediation: |
Apply the latest security patch or upgrade to a patched version of Zoho ManageE
Tenable
CVE-2022-47523: ManageEngine Password Manager Pro, PAM360 and Access Manager Plus SQL Injection Vulnerability
blogs_tenable·2023-01-05·CVSS 9.8
[CRITICAL] CVE-2022-47523: ManageEngine Password Manager Pro, PAM360 and Access Manager Plus SQL Injection Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Dfir Report
Will the Real Msiexec Please Stand Up? Exploit Leads to Data Exfiltration
blogs_dfir_report·2022-06-06·CVSS 9.8
[CRITICAL] Will the Real Msiexec Please Stand Up? Exploit Leads to Data Exfiltration
From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion Read More
- dragonforce Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs Read More
Services Overview
Threat Hunting
-
Integration
CTI Program Advisory
Incident Response Playbook
About us
Contact Us
Collaboration
Careers
Analysts
Access DFIR Labs
Get in Touch
Public Reports
Products Overview
Threat intel Overview
Threat Feed
Private DFIR Reports
All Intel
Active Defense
DFIR Labs
Case Artifacts
Detection Pack
AI Training Ground
Service Overview
Threat Hunting
Integration
CTI Program Advisory
Incident Response Playbook
Company Overview
About us
Contact Us
Careers
Analyst
SQL Brute Force Leads to BlueSky Ransomware
From OneNote to RansomNote: An Ice Col
Unit42
SockDetour – a Silent, Fileless, Socketless Backdoor – Targets U.S. Defense Contractors
blogs_unit42·2022-02-24·CVSS 10.0
CVE-2021-28799 [CRITICAL] SockDetour – a Silent, Fileless, Socketless Backdoor – Targets U.S. Defense Contractors
Threat Research Center
Threat Research
Malware
## SockDetour – a Silent, Fileless, Socketless Backdoor – Targets U.S. Defense Contractors
Unit 42
Published: February 24, 2022
Malware
Threat Research
Vulnerabilities
Advanced Persistent Threat
Backdoor
CVE-2021-28799
CVE-2021-40539
CVE-2021-44077
TiltedTemple
Windows
## Executive Summary
Unit 42 has been tracking an APT campaign we name TiltedTemple, which we first identified in connection with its use of the Zoho ManageEngine ADSelfService Plus vulnerability CVE-2021-40539 and ServiceDesk Plus vulnerability CVE-2021-44077. The threat actors involved use a variety of techniques to gain access to and persistence in compromised systems and have successfully compromised more than a dozen organizations across the technology,
Unit42
SockDetour – a Silent, Fileless, Socketless Backdoor – Targets U.S. Defense Contractors
blogs_unit42·2022-02-24·CVSS 9.8
CVE-2021-40539 [CRITICAL] SockDetour – a Silent, Fileless, Socketless Backdoor – Targets U.S. Defense Contractors
## Executive Summary
Unit 42 has been tracking an APT campaign we name TiltedTemple, which we first identified in connection with its use of the Zoho ManageEngine ADSelfService Plus vulnerability CVE-2021-40539 and ServiceDesk Plus vulnerability CVE-2021-44077. The threat actors involved use a variety of techniques to gain access to and persistence in compromised systems and have successfully compromised more than a dozen organizations across the technology, energy, healthcare, education, finance and defense industries. In conducting further analysis of this campaign, we identified another sophisticated tool being used to maintain persistence, which we call SockDetour.
A custom backdoor, SockDetour is designed to serve as a backup backdoor in case the primary one is removed. It is diffic
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Tenable
CVE-2021-44515: ZoHo Patches ManageEngine Zero-Day Exploited in the Wild
blogs_tenable·2021-12-06·CVSS 9.8
[CRITICAL] CVE-2021-44515: ZoHo Patches ManageEngine Zero-Day Exploited in the Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Checkpoint
6th December – Threat Intelligence Report
blogs_checkpoint·2021-12-06
CVE-2021-39237 6th December – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 6th December – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 6th December, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Check Point Research has identified ongoing campaigns in Iran using socially engineered SMS messages to infect tens of thousands of citizens’ devices. The SMS, impersonating Iranian government services, lures victims into downloading malicious Android apps that steal credit card credentials, personal SMS messages and 2FA
Unit42
APT Expands Attack on ManageEngine With Active Campaign Against ServiceDesk Plus
blogs_unit42·2021-12-02
APT Expands Attack on ManageEngine With Active Campaign Against ServiceDesk Plus
## Executive Summary
Over the course of three months, a persistent and determined APT actor has launched multiple campaigns which have now resulted in compromises to at least 4 additional organizations, for a total of 13. Beginning on Sept. 16, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an alert warning that advanced persistent threat (APT) actors were actively exploiting newly identified vulnerabilities in a self-service password management and single sign-on solution known as ManageEngine ADSelfService Plus. Building upon the findings of that initial report, on Nov. 7, Unit 42 disclosed a second, more sophisticated, active and difficult-to-detect campaign that had resulted in the compromise of at least nine organizations.
As an update to our initial
Unit42
APT Expands Attack on ManageEngine With Active Campaign Against ServiceDesk Plus
blogs_unit42·2021-12-02
APT Expands Attack on ManageEngine With Active Campaign Against ServiceDesk Plus
Threat Research Center
Threat Research
Cybercrime
## APT Expands Attack on ManageEngine With Active Campaign Against ServiceDesk Plus
Robert Falcone
Peter Renals
Published: December 2, 2021
Cybercrime
Threat Research
Advanced Persistent Threat
Godzilla webshell
ServiceDesk Plus
TiltedTemple
Zoho ManageEngine
## Executive Summary
Over the course of three months, a persistent and determined APT actor has launched multiple campaigns which have now resulted in compromises to at least 4 additional organizations, for a total of 13. Beginning on Sept. 16, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an alert warning that advanced persistent threat (APT) actors were actively exploiting newly identified vulnerabilities in a self-service password
Greynoiseio
Malicious Tag Roundup (January 2022)
blogs_greynoiseio
Malicious Tag Roundup (January 2022)
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://packetstormsecurity.com/files/165400/ManageEngine-ServiceDesk-Plus-Remote-Code-Execution.htmlhttps://pitstop.manageengine.com/portal/en/community/topic/security-advisory-authentication-bypass-vulnerability-in-servicedesk-plus-versions-11138-and-abovehttps://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-servicedesk-plus-msp-versions-10527-till-10529https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-servicedesk-plus-versions-up-to-11305-22-11-2021https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-supportcenter-plus-versions-11012-and-11013http://packetstormsecurity.com/files/165400/ManageEngine-ServiceDesk-Plus-Remote-Code-Execution.htmlhttps://pitstop.manageengine.com/portal/en/community/topic/security-advisory-authentication-bypass-vulnerability-in-servicedesk-plus-versions-11138-and-abovehttps://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-servicedesk-plus-msp-versions-10527-till-10529https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-servicedesk-plus-versions-up-to-11305-22-11-2021https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-supportcenter-plus-versions-11012-and-11013https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-44077
2021-11-29
Published
2021-12-01
Added to CISA KEV
Exploited in the wild