CVE-2021-28960 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2021-28960?

CVE-2021-28960 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated attackers to execute arbitrary commands on Zoho ManageEngine Desktop Central servers. It affects organizations using Desktop Central versions before build 10.0.683 for endpoint management. Attackers can exploit this without any credentials due to improper input validation in on-demand operations.

📋 TL;DR

This vulnerability allows unauthenticated attackers to execute arbitrary commands on Zoho ManageEngine Desktop Central servers. It affects organizations using Desktop Central versions before build 10.0.683 for endpoint management. Attackers can exploit this without any credentials due to improper input validation in on-demand operations.

💻 Affected Systems

Products:

Zoho ManageEngine Desktop Central

Versions: All versions before build 10.0.683

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations are vulnerable. The vulnerability exists in the on-demand operations feature.

📦 What is this software?

Desktop Central by Manageengine

View all CVEs affecting Desktop Central →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands with high privileges, potentially leading to data theft, ransomware deployment, or lateral movement across the network.

🟠

Likely Case

Remote code execution leading to installation of backdoors, credential harvesting, or deployment of malware on affected servers.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent external access to vulnerable instances.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation makes internet-facing instances extremely vulnerable to attack.

🏢 Internal Only: HIGH - Even internally, unauthenticated exploitation allows any network user to compromise the server.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Multiple public exploits exist. The vulnerability is actively exploited in the wild.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Build 10.0.683 or later

Vendor Advisory: https://www.manageengine.com/products/desktop-central/unauthenticated-command-injection-vulnerability.html

Restart Required: Yes

Instructions:

1. Download the latest version from ManageEngine website. 2. Backup your current installation. 3. Run the installer to upgrade to build 10.0.683 or later. 4. Restart the Desktop Central service.

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict network access to Desktop Central server to only trusted IP addresses

Use firewall rules to block external access to ports 8020, 8443, and 8022

Disable On-Demand Operations

all

Temporarily disable the vulnerable feature if not required

Navigate to Admin > Security Settings > Disable On-Demand Operations

🧯 If You Can't Patch

Immediately isolate the Desktop Central server from internet access
Implement strict network segmentation and monitor for suspicious command execution attempts

🔍 How to Verify

Check if Vulnerable:

Check the build number in Desktop Central web interface under Help > About. If build number is less than 10.0.683, the system is vulnerable.

Check Version:

Check via web interface or examine installation directory version files

Verify Fix Applied:

Verify build number is 10.0.683 or higher and test that on-demand operations function properly without allowing command injection.

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in Desktop Central logs
Multiple failed authentication attempts followed by command execution
Suspicious process creation from Desktop Central service

Network Indicators:

Unusual outbound connections from Desktop Central server
Exploit attempts on ports 8020/8443/8022
Command and control traffic from Desktop Central server

SIEM Query:

source="desktop_central" AND (command="cmd.exe" OR command="powershell" OR command="/bin/sh") AND user="unauthenticated"

📊 Metadata

CVE ID: CVE-2021-28960

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: September 21, 2021

Last Updated: November 21, 2024

🔗 References

https://www.manageengine.com Vendor Advisory
https://www.manageengine.com/products/desktop-central/unauthenticated-command-injection-vulnerability.html Vendor Advisory
https://www.manageengine.com Vendor Advisory
https://www.manageengine.com/products/desktop-central/unauthenticated-command-injection-vulnerability.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-28960, you might also want to check these: