cbcvebase.
CVE-2021-44515
published 2021-12-12

CVE-2021-44515: Zoho ManageEngine Desktop Central is vulnerable to authentication bypass, leading to remote code execution on the server, as exploited in the wild in December…

PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2021-12-24
Exploited in the wild
EPSS
99.87%
100.0th percentile
Zoho ManageEngine Desktop Central is vulnerable to authentication bypass, leading to remote code execution on the server, as exploited in the wild in December 2021. For Enterprise builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For Enterprise builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3. For MSP builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For MSP builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3.

Affected

3 ranges
VendorProductVersion rangeFixed in
zohocorpmanageengine_desktop_central< 10.1.2127.1810.1.2127.18
zohocorpmanageengine_desktop_central< 10.1.2137.210.1.2137.2
zohocorpmanageengine_desktop_central>= 10.1.2128.0 < 10.1.2137.310.1.2137.3

Detection & IOCsextracted from sources · hover to see the quote

url/STATE_ID/123/agentLogUploader
cookieSTATE_COOKIE=&_REQS/_TIME/123
cookieSTATE_COOKIE=
url/STATE_ID/
url/changeDefaultAmazonPassword?
otherUEMJSESSIONID=
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Zoho ManagedEngine Desktop Central Authentication Bypass - Administrator Password Reset Attempt (CVE-2021-44515)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/STATE_ID/"; startswith; content:"/changeDefaultAmazonPassword?"; fast_pattern; content:"loginName="; distance:0; content:"newUserPassword="; http.cookie; content:"STATE_COOKIE="; reference:url,srcincite.io/blog/2022/01/20/zohowned-a-critical-authentication-bypass-on-zoho-manageengine-desktop-central.html; reference:cve,2021-44515; classtype:attempted-admin; sid:2034958; rev:2; metadata:created_at 2022_01_24, cve CVE_2021_44515, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_05_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit requests target the /STATE_ID/<id>/agentLogUploader endpoint with a crafted STATE_COOKIE header containing bypass payload; a 200 response with empty body and UEMJSESSIONID= set-cookie header indicates successful authentication bypass.
  • Password reset exploitation stage uses HTTP POST to /STATE_ID/<id>/changeDefaultAmazonPassword? with loginName= and newUserPassword= parameters in the body, and STATE_COOKIE= in the cookie header.
  • Zoho released an exploit detection tool for organizations to check if they had been targeted; defenders should use it to identify prior compromise.
  • Shodan/FOFA queries can identify exposed ManageEngine Desktop Central 10 instances: search for http.title:"manageengine desktop central 10" or app="zoho-manageengine-desktop".
  • CVE-2021-44515 is an authentication bypass leading to RCE; attacker sends a specially crafted request to a vulnerable endpoint — monitor for anomalous unauthenticated requests to Desktop Central API paths.
  • ·The Nuclei template matcher checks for an empty body (len(body)==0), HTTP 200 status, and presence of UEMJSESSIONID= in the response header — all three conditions must match to confirm the bypass; partial matches may produce false positives.
  • ·The Emerging Threats Snort rule (sid:2034958) is scoped to perimeter and internal deployment contexts; ensure $HOME_NET is correctly defined to cover ManageEngine Desktop Central server IPs to avoid missed detections.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.