Overview
Zoho ManageEngine Desktop Central contains an authentication bypass vulnerability caused by improper access control that allows unauthenticated attackers to execute arbitrary code on the Desktop Central MSP (Managed Service Provider) server. This critical vulnerability requires no authentication and can be exploited remotely. The vulnerability was disclosed on December 12, 2021. CISA has identified CVE-2021-44515 as being exploited but is not currently known to be used in ransomware campaigns.
Technical details
Zoho ManageEngine Desktop Central contains multiple authentication bypass vulnerabilities that allow unauthenticated remote attackers to execute arbitrary code on the server. The vulnerability stems from improper access control mechanisms that fail to properly validate user authentication before allowing access to sensitive endpoints. Attackers can exploit these bypass mechanisms to gain unauthorized access to administrative functions and execute arbitrary commands with system privileges.
The vulnerability is classified as CWE-287 (Improper Authentication) , CWE-284 (Improper Access Control) andCWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) .
The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating its critical nature.
Impact
An unauthenticated attacker can exploit this vulnerability to execute arbitrary code on the Desktop Central MSP server with system privileges. This allows complete compromise of the affected system, including: unauthorized access to sensitive management data, installation of malware or backdoors, lateral movement to managed endpoints through the Desktop Central console, exfiltration of credentials and sensitive information, and disruption of service availability. In an MSP environment, this could affect multiple customer organizations.
Mitigation and workarounds
Zoho recommends immediate upgrade to the latest patched versions. Download and install security updates from Zoho's support portal at https://www.manageengine.com/products/desktop-central/. For MSP instances, priority should be given to applying patches. Customers should verify their current version via Administration > General Settings > About. The following versions include the necessary fixes: Desktop Central 10.0.2181 and later, Desktop Central 10.1.2164.21 and later, Desktop Central 10.2.2156.10 and later, Desktop Central MSP 10.0.2181 and later, Desktop Central MSP 10.1.2164.21 and later, Desktop Central MSP 10.2.2156.10 and later.
As temporary workarounds: restrict network access to the desktop central server (default ports 8020 and 8383) using firewall rules. limit access to trusted administrator ip addresses and networks only.; implement network segmentation to isolate the desktop central server from untrusted networks and the internet.; use a reverse proxy or waf (web application firewall) to add additional authentication layers and monitor suspicious access patterns., and disable internet-facing desktop central instances if not required for msp operations..
CISA's recommendation: Apply updates per vendor instructions.
Additional resources
Source: This report was generated using AI
