Zoho Corporation has released patches for its ManageEngine Desktop Central and Desktop Central MSP solutions affected by CVE-2021-44757, a critical authentication bypass vulnerability. A reliable vulnerability management tool can solve these problems.
Zoho ManageEngine Desktop Central is a unified endpoint management (UEM) solution that helps manage servers, laptops, desktops, smartphones, and tablets from a central location. However, a patch management tool is required to patch detected vulnerabilities.
According to the security advisory published, the “authentication bypass vulnerability in Desktop Central identified which, when exploited, can allow an attacker to read unauthorized data or write an arbitrary zip file in the Desktop Central server.” The vulnerability being tracked as CVE-2021-44757.
Zoho patches Critical Vulnerability on January 17, 2022; the fix is available in build 10.1.2137.9. The KB documents for Desktop Central and Desktop Central MSP are also present. Zoho recommends users follow the security hardening guidelines for Desktop Central and Desktop Central MSP. A security notification can also be in installations of Desktop Central urging users to upgrade to the latest version.
Oswald discovered and reported the vulnerability from SGLAB of Legends at Qi’anxin Group. However, It is not yet public knowledge if this vulnerability is in exploitation.
Recently, Zoho has fixed three other critical vulnerabilities in its ManageEngine products.
- CVE-2021-44515: Authentication bypass vulnerability in Zoho ManageEngine Desktop Central.
- CVE-2021-44077: Unauthenticated, remote code execution vulnerability in Zoho ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP, and SupportCenter Plus.
- CVE-2021-40539: Authentication bypass vulnerability in Zoho ManageEngine ADSelfService Plus.
State-sponsored APT groups targeted these vulnerabilities and have been under active exploitation since October 2021. It is a high recommendation to apply the security patches and follow the security hardening guidelines by Zoho.
Zoho ManageEngine Desktop Central
Zoho ManageEngine Desktop Central MSP
Successful exploitation of this vulnerability allows an attacker to read unauthorized data or write an arbitrary zip file on the server.
Zoho ManageEngine Desktop Central build 10.1.2137.9.