CVE-2021-44515
published 2021-12-12CVE-2021-44515: Zoho ManageEngine Desktop Central is vulnerable to authentication bypass, leading to remote code execution on the server, as exploited in the wild in December…
PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2021-12-24
Exploited in the wild
EPSS
99.87%
100.0th percentile
Zoho ManageEngine Desktop Central is vulnerable to authentication bypass, leading to remote code execution on the server, as exploited in the wild in December 2021. For Enterprise builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For Enterprise builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3. For MSP builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For MSP builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | manageengine_desktop_central | < 10.1.2127.18 | 10.1.2127.18 |
| zohocorp | manageengine_desktop_central | < 10.1.2137.2 | 10.1.2137.2 |
| zohocorp | manageengine_desktop_central | >= 10.1.2128.0 < 10.1.2137.3 | 10.1.2137.3 |
Detection & IOCsextracted from sources · hover to see the quote
url/STATE_ID/123/agentLogUploader
cookieSTATE_COOKIE=&_REQS/_TIME/123
cookieSTATE_COOKIE=
url/STATE_ID/
url/changeDefaultAmazonPassword?
otherUEMJSESSIONID=
snort↗
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Zoho ManagedEngine Desktop Central Authentication Bypass - Administrator Password Reset Attempt (CVE-2021-44515)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/STATE_ID/"; startswith; content:"/changeDefaultAmazonPassword?"; fast_pattern; content:"loginName="; distance:0; content:"newUserPassword="; http.cookie; content:"STATE_COOKIE="; reference:url,srcincite.io/blog/2022/01/20/zohowned-a-critical-authentication-bypass-on-zoho-manageengine-desktop-central.html; reference:cve,2021-44515; classtype:attempted-admin; sid:2034958; rev:2; metadata:created_at 2022_01_24, cve CVE_2021_44515, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_05_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit requests target the /STATE_ID/<id>/agentLogUploader endpoint with a crafted STATE_COOKIE header containing bypass payload; a 200 response with empty body and UEMJSESSIONID= set-cookie header indicates successful authentication bypass.
- →Password reset exploitation stage uses HTTP POST to /STATE_ID/<id>/changeDefaultAmazonPassword? with loginName= and newUserPassword= parameters in the body, and STATE_COOKIE= in the cookie header.
- →Zoho released an exploit detection tool for organizations to check if they had been targeted; defenders should use it to identify prior compromise. ↗
- →Shodan/FOFA queries can identify exposed ManageEngine Desktop Central 10 instances: search for http.title:"manageengine desktop central 10" or app="zoho-manageengine-desktop".
- →CVE-2021-44515 is an authentication bypass leading to RCE; attacker sends a specially crafted request to a vulnerable endpoint — monitor for anomalous unauthenticated requests to Desktop Central API paths. ↗
- ·The Nuclei template matcher checks for an empty body (len(body)==0), HTTP 200 status, and presence of UEMJSESSIONID= in the response header — all three conditions must match to confirm the bypass; partial matches may produce false positives.
- ·The Emerging Threats Snort rule (sid:2034958) is scoped to perimeter and internal deployment contexts; ensure $HOME_NET is correctly defined to cover ManageEngine Desktop Central server IPs to avoid missed detections.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4g2p-qp5f-9gmj: Zoho ManageEngine Desktop Central and Desktop Central MSP before 10
ghsa_unreviewed·2023-02-25·CVSS 9.8
CVE-2022-48362 [CRITICAL] CWE-22 GHSA-4g2p-qp5f-9gmj: Zoho ManageEngine Desktop Central and Desktop Central MSP before 10
Zoho ManageEngine Desktop Central and Desktop Central MSP before 10.1.2137.2 allow directory traversal via computerName to AgentLogUploadServlet. A remote, authenticated attacker could upload arbitrary code that would be executed when Desktop Central is restarted. (The attacker could authenticate by exploiting CVE-2021-44515.)
GHSA
GHSA-wrwj-r75g-4vx9: Zoho ManageEngine Desktop Central is vulnerable to authentication bypass, leading to remote code execution on the server, as exploited in the wild in
ghsa_unreviewed·2021-12-13
CVE-2021-44515 [CRITICAL] CWE-287 GHSA-wrwj-r75g-4vx9: Zoho ManageEngine Desktop Central is vulnerable to authentication bypass, leading to remote code execution on the server, as exploited in the wild in
Zoho ManageEngine Desktop Central is vulnerable to authentication bypass, leading to remote code execution on the server, as exploited in the wild in December 2021. For Enterprise builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For Enterprise builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3. For MSP builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For MSP builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3.
VulnCheck
Zoho Desktop Central Authentication Bypass Vulnerability
vulncheck·2021·CVSS 9.8
CVE-2021-44515 [CRITICAL] Zoho Desktop Central Authentication Bypass Vulnerability
Zoho Desktop Central Authentication Bypass Vulnerability
Zoho Desktop Central contains an authentication bypass vulnerability that could allow an attacker to execute arbitrary code in the Desktop Central MSP server.
Affected: Zoho Desktop Central
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.cve.org/CVERecord?id=CVE-2021-44515; https://www.ic3.gov/Media/News/2021/211220.pdf; https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2022GTR.pdf; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2026-03-24&host_type=src&vulnerability=cve-2021-44515; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2026-03
CISA
Zoho Desktop Central Authentication Bypass Vulnerability
cisa·2021-12-10·CVSS 9.8
CVE-2021-44515 [CRITICAL] Zoho Desktop Central Authentication Bypass Vulnerability
Vulnerability: Zoho Desktop Central Authentication Bypass Vulnerability
Affected: Zoho Desktop Central
Zoho Desktop Central contains an authentication bypass vulnerability that could allow an attacker to execute arbitrary code in the Desktop Central MSP server.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-44515
Remediation Due Date: 2021-12-24
Suricata
ET EXPLOIT Zoho ManagedEngine Desktop Central Authentication Bypass - Administrator Password Reset Attempt (CVE-2021-44515)
suricata·2022-01-24·CVSS 9.8
CVE-2021-44515 [CRITICAL] ET EXPLOIT Zoho ManagedEngine Desktop Central Authentication Bypass - Administrator Password Reset Attempt (CVE-2021-44515)
ET EXPLOIT Zoho ManagedEngine Desktop Central Authentication Bypass - Administrator Password Reset Attempt (CVE-2021-44515)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Zoho ManagedEngine Desktop Central Authentication Bypass - Administrator Password Reset Attempt (CVE-2021-44515)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/STATE_ID/"; startswith; content:"/changeDefaultAmazonPassword?"; fast_pattern; content:"loginName="; distance:0; content:"newUserPassword="; http.cookie; content:"STATE_COOKIE="; reference:url,srcincite.io/blog/2022/01/20/zohowned-a-critical-authentication-bypass-on-zoho-manageengine-desktop-central.html; reference:cve,2021-44515; classtype:attempted-admin; sid:2034958; rev:2; metadata:created_at 2022_01_24, cv
Suricata
ET EXPLOIT Zoho ManagedEngine Desktop Central Authentication Bypass - File Upload Attempt (CVE-2021-44515)
suricata·2022-01-24·CVSS 9.8
CVE-2021-44515 [CRITICAL] ET EXPLOIT Zoho ManagedEngine Desktop Central Authentication Bypass - File Upload Attempt (CVE-2021-44515)
ET EXPLOIT Zoho ManagedEngine Desktop Central Authentication Bypass - File Upload Attempt (CVE-2021-44515)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Zoho ManagedEngine Desktop Central Authentication Bypass - File Upload Attempt (CVE-2021-44515)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/STATE_ID/"; startswith; content:"/agentLogUploader?"; distance:0; content:"filename="; nocase; distance:0; pcre:"/^[a-zA-Z0-9]+\.(?:zip|7z|gz)/Ri"; content:"branchofficeid="; nocase; http.cookie; content:"STATE_COOKIE="; reference:url,attackerkb.com/topics/rJw4DFI2RQ/cve-2021-44515/rapid7-analysis; reference:cve,2021-44515; classtype:attempted-admin; sid:2034957; rev:2; metadata:created_at 2022_01_24, cve CVE_2021_44515, deployment Perimeter, d
Nuclei
Zoho ManageEngine Desktop Central - Remote Code Execution
nuclei·CVSS 9.8
CVE-2021-44515 [CRITICAL] Zoho ManageEngine Desktop Central - Remote Code Execution
Zoho ManageEngine Desktop Central - Remote Code Execution
Zoho ManageEngine Desktop Central contains an authentication bypass vulnerability that could allow an attacker to execute arbitrary code in the Desktop Central MSP server.
Template:
id: CVE-2021-44515
info:
name: Zoho ManageEngine Desktop Central - Remote Code Execution
author: Adam Crosser
severity: critical
description: Zoho ManageEngine Desktop Central contains an authentication bypass vulnerability that could allow an attacker to execute arbitrary code in the Desktop Central MSP server.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
remediation: For Enterprise builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For Enterprise builds 10.1
Tenable
AA23-215A: 2022's Top Routinely Exploited Vulnerabilities
blogs_tenable·2023-08-03
AA23-215A: 2022's Top Routinely Exploited Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2022-47523: ManageEngine Password Manager Pro, PAM360 and Access Manager Plus SQL Injection Vulnerability
blogs_tenable·2023-01-05·CVSS 9.8
[CRITICAL] CVE-2022-47523: ManageEngine Password Manager Pro, PAM360 and Access Manager Plus SQL Injection Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Tenable
CVE-2021-44757: ZoHo Patches Authentication Bypass in ManageEngine Desktop Central
blogs_tenable·2022-01-18·CVSS 9.1
[CRITICAL] CVE-2021-44757: ZoHo Patches Authentication Bypass in ManageEngine Desktop Central
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Talos
Threat Source Newsletter (Dec. 9, 2021)
blogs_talos·2021-12-09
Threat Source Newsletter (Dec. 9, 2021)
Good afternoon, Talos readers.
The good news keeps rolling in for our Incident Response team, who received another accolade by being featured in Forrester's recent quarterly report on the incident readiness industry. This comes on the heels of the team also being named a leader in IR services in an IDC MarketScape report.
If you are looking for a great holiday gift for the IT lover in your life, you should make sure to get your free copy of the SNORTⓇ calendar now. All you have to do is fill out this quick survey to get your free copy. (Sorry, shipping in the U.S. only.)
## Cybersecurity week in review
- Multiple U.S. State Department employees had their iPhones infected with the Pegasus spyware, according to a recent report. Apple recently sued the NSO Group, the creator of Pegasus, f
Talos
Threat Source Newsletter (Dec. 9, 2021)
blogs_talos·2021-12-09
Threat Source Newsletter (Dec. 9, 2021)
## Threat Source Newsletter (Dec. 9, 2021)
Good afternoon, Talos readers.
The good news keeps rolling in for our Incident Response team, who received another accolade by being featured in Forrester's recent quarterly report on the incident readiness industry. This comes on the heels of the team also being named a leader in IR services in an IDC MarketScape report .
If you are looking for a great holiday gift for the IT lover in your life, you should make sure to get your free copy of the SNORTⓇ calendar now. All you have to do is fill out this quick survey to get your free copy. (Sorry, shipping in the U.S. only.)
## Cybersecurity week in review
Multiple U.S. State Department employees had their iPhones infected with the Pegasus spyware , according to a recent report. Apple recently s
Tenable
CVE-2021-44515: ZoHo Patches ManageEngine Zero-Day Exploited in the Wild
blogs_tenable·2021-12-06·CVSS 9.8
[CRITICAL] CVE-2021-44515: ZoHo Patches ManageEngine Zero-Day Exploited in the Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
https://pitstop.manageengine.com/portal/en/community/topic/an-authentication-bypass-vulnerability-identified-and-fixed-in-desktop-central-and-desktop-central-msphttps://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/cisa-adds-thirteen-known-exploited-vulnerabilities-cataloghttps://www.manageengine.com/products/desktop-central/cve-2021-44515-authentication-bypass-filter-configuration.htmlhttps://pitstop.manageengine.com/portal/en/community/topic/an-authentication-bypass-vulnerability-identified-and-fixed-in-desktop-central-and-desktop-central-msphttps://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/cisa-adds-thirteen-known-exploited-vulnerabilities-cataloghttps://www.manageengine.com/products/desktop-central/cve-2021-44515-authentication-bypass-filter-configuration.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-44515
2021-12-12
Published
2021-12-10
Added to CISA KEV
Exploited in the wild