CVE-2021-44077
9.8 CRITICAL
📋 TL;DR
CVE-2021-44077 is an unauthenticated remote code execution vulnerability in Zoho ManageEngine products. Attackers can exploit this via specific REST API endpoints to execute arbitrary code without credentials. This affects ServiceDesk Plus, ServiceDesk Plus MSP, and SupportCenter Plus users running vulnerable versions.
💻 Affected Systems
Products:
- Zoho ManageEngine ServiceDesk Plus
- Zoho ManageEngine ServiceDesk Plus MSP
- Zoho ManageEngine SupportCenter Plus
Versions: ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, SupportCenter Plus before 11014
Operating Systems: Windows, Linux
Default Config Vulnerable:
⚠️ Yes
Notes: All default installations are vulnerable; no special configuration required.
📦 What is this software?
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to install malware, steal sensitive data, pivot to other systems, and maintain persistent access.
Likely Case
Deployment of ransomware, data exfiltration, or creation of backdoors for future attacks.
If Mitigated
Attackers are blocked at network perimeter or detected before successful exploitation.
🌐 Internet-Facing: HIGH - Directly exploitable without authentication via HTTP requests.
🏢 Internal Only: HIGH - Even internal systems are vulnerable to network-accessible attacks.
🎯 Exploit Status
Public PoC:
⚠️ Yes
Weaponized:
CONFIRMED
Unauthenticated Exploit:
⚠️ Yes
Complexity:
LOW
Exploit code is publicly available and requires minimal technical skill to execute.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: ServiceDesk Plus 11306+, ServiceDesk Plus MSP 10530+, SupportCenter Plus 11014+
Restart Required: Yes
Instructions:
1. Download latest version from ManageEngine website. 2. Backup current installation. 3. Stop the ManageEngine service. 4. Install the update. 5. Restart the service.
🔧 Temporary Workarounds
Block Vulnerable Endpoints
linuxBlock access to /RestAPI/* and /servlets/* URLs at web application firewall or network firewall.
iptables -A INPUT -p tcp --dport 8080 -m string --string "/RestAPI/" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 8080 -m string --string "/servlets/" --algo bm -j DROP
Network Segmentation
allRestrict network access to ManageEngine instances to only trusted IP addresses.
iptables -A INPUT -p tcp --dport 8080 -s trusted_ip_range -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP
🧯 If You Can't Patch
- Immediately isolate affected systems from internet and untrusted networks
- Implement strict network access controls and monitor for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check version number in ManageEngine admin interface or installation directory. If version is below patched versions, system is vulnerable.Check Version:
Check Help > About in web interface or examine version.txt in installation directoryVerify Fix Applied:
Confirm version is at or above patched versions and test that /RestAPI/ImportTechnicians endpoint returns error or is inaccessible.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /RestAPI/ImportTechnicians
- Unusual process creation from Java or Tomcat
- Failed authentication attempts followed by successful exploitation
Network Indicators:
- HTTP POST requests to /RestAPI/* with suspicious parameters
- Outbound connections from ManageEngine server to unknown IPs
SIEM Query:
source="*manageengine*" AND (url="/RestAPI/ImportTechnicians" OR url="/servlets/*")🔗 References
- http://packetstormsecurity.com/files/165400/ManageEngine-ServiceDesk-Plus-Remote-Code-Execution.html
- https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-authentication-bypass-vulnerability-in-servicedesk-plus-versions-11138-and-above
- https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-servicedesk-plus-msp-versions-10527-till-10529
- https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-servicedesk-plus-versions-up-to-11305-22-11-2021
- https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-supportcenter-plus-versions-11012-and-11013
- http://packetstormsecurity.com/files/165400/ManageEngine-ServiceDesk-Plus-Remote-Code-Execution.html
- https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-authentication-bypass-vulnerability-in-servicedesk-plus-versions-11138-and-above
- https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-servicedesk-plus-msp-versions-10527-till-10529
- https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-servicedesk-plus-versions-up-to-11305-22-11-2021
- https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-supportcenter-plus-versions-11012-and-11013
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-44077
