Background
On Thursday, December 2, 2021, the Cybersecurity & Infrastructure Security Agency (CISA) and Federal Bureau of Investigations (FBI) reported a new campaign targeting ManageEngine ServiceDesk Plus servers that are vulnerable to CVE-2021-44077. Security Researchers at Palo Alto Networks have linked the threat group behind this campaign to the same group exploiting ManageEngine AdSelfService Plus.
CVE ID |
CVSS Score V3 |
CVSS Criticality |
Type |
Description |
CVE-2021-44077 |
9.8 |
Critical |
Remote Code Execution |
Zoho ManageEngine ServiceDesk Plus Remote Code Execution |
Analysis
CVE-2021- 44077
CVE-2021-44077 is an unauthenticated remote code execution vulnerability in ManageEngine ServiceDesk Plus affecting all versions of ServiceDesk Plus up to, and including, version 11305.
Following initial exploitation of CVE-2021-44077 on a targeted system, the threat actors have been observed uploading executable files and placing web shells that enable post-exploitation activities such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.
Solutions and Recommendations
Our primary recommendation is to first determine if you are running affected versions of ManageEngine ServiceDesk Plus.
ManageEngine has indicated in their advisory here that specific versions are affected by this vulnerability. We recommend reviewing the below to determine if you are running any outdated versions of this software in your environment and patch as soon as possible.
Vulnerable Versions: Build 11305 and older
Stable Version: Build 11306 and newer
References
- Palo Alto Blog on Campaign
- APT Actors Exploiting CVE-2021-44077 in Zoho ManageEngine ServiceDesk Plus
- Security advisory for CVE-2021-44077
- CVE-2021-44077 MITRE
- NIST CVE-2021-44077 Detail
Learn more about Arctic Wolf’s Managed Risk solution or request a demo today.