Login Sign Up

CVE-2021-46164

8.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows authenticated users with access to the Reports module in Zoho ManageEngine Desktop Central to execute arbitrary code remotely. It affects organizations using Desktop Central versions before 10.0.662 for endpoint management. Attackers could gain full control of the server if they have valid credentials and Reports module permissions.

💻 Affected Systems

Products:
  • Zoho ManageEngine Desktop Central
Versions: All versions before 10.0.662
Operating Systems: Windows, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects installations where users have access to the Reports module. The vulnerability exists in the default configuration but requires authenticated access.

📦 What is this software?

Manageengine Desktop Central by Zohocorp

View all CVEs affecting Manageengine Desktop Central →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the Desktop Central server leading to domain-wide persistence, lateral movement across the network, data exfiltration, and deployment of ransomware or other malware.

🟠

Likely Case

Privilege escalation from authenticated user to full system administrator on the Desktop Central server, enabling installation of backdoors, credential theft, and further network reconnaissance.

🟢

If Mitigated

Limited to authenticated users with Reports module access only; proper network segmentation and least privilege access would contain the impact to the Desktop Central server itself.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access to the Reports module. Given the high CVSS score and RCE nature, weaponization is likely even without public PoC.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.0.662 and later

Vendor Advisory: https://www.manageengine.com/products/desktop-central/vulnerabilities-in-reports-module.html

Restart Required: Yes

Instructions:

1. Backup your Desktop Central installation and database. 2. Download the latest version from the ManageEngine website. 3. Run the upgrade installer. 4. Restart the Desktop Central service. 5. Verify the version shows 10.0.662 or higher.

🔧 Temporary Workarounds

Restrict Reports Module Access

all

Remove all user access to the Reports module except for absolutely necessary administrators.

Network Segmentation

all

Isolate the Desktop Central server from other critical systems and restrict inbound access to only necessary management IPs.

🧯 If You Can't Patch

  • Implement strict network access controls to limit which users can reach the Desktop Central web interface
  • Enable detailed logging and monitoring for suspicious activity in the Reports module

🔍 How to Verify

Check if Vulnerable:

Check the Desktop Central version in the web interface under Help > About. If version is below 10.0.662, the system is vulnerable.

Check Version:

Not applicable - check via web interface at /about.jsp or in the application itself

Verify Fix Applied:

After patching, verify the version shows 10.0.662 or higher in Help > About and test that Reports module functionality still works for authorized users.

📡 Detection & Monitoring

Log Indicators:

  • Unusual Reports module access patterns
  • Multiple failed authentication attempts followed by successful login
  • Suspicious process creation from the Desktop Central service account

Network Indicators:

  • Unexpected outbound connections from the Desktop Central server
  • Unusual traffic patterns to/from the Desktop Central web port (typically 8020/8443)

SIEM Query:

source="desktop-central.logs" AND (event="REPORT_MODULE_ACCESS" OR event="CODE_EXECUTION")

📊 Metadata

CVE ID: CVE-2021-46164
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Published: January 10, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON