The Federal Bureau of Investigation (FBI) has released an alert regarding the exploitation of a recent vulnerability in Zoho’s ManageEngine Desktop Central product.
Tracked as CVE-2021-44515, the security error is an authentication bypass that can be exploited to achieve remote code execution. The bug affects the Professional and Enterprise editions of ServiceDesk Plus and potentially impacts tens of thousands of organizations around the world.
Rated critical (CVSS score of 9.8), the vulnerability was made public in early December, when Zoho warned that threat actors had already been exploiting the bug in attacks.
Now, the FBI says that exploitation by advanced persistent threat (APT) actors has been ongoing since at least October 2021. The attackers have been dropping a webshell on compromised Desktop Central servers, to override a legitimate function and set up for post-compromise activities.
The adversaries used the webshells to drop further tools, enumerate domain users, perform reconnaissance, and attempt to move laterally in the network and steal credentials.
READ: U.S. Agencies Share More Details on ADSelfService Plus Vulnerability Exploitation
Two variants of the observed webshells were used in these attacks, both designed to override a Desktop Central API servlet endpoint and gain access to inbound GET or outbound POST requests and execute commands with System privileges.
Following initial reconnaissance, the attackers deployed a ShadowPad variant dropper and a legitimate binary that is then abused to achieve persistence. When executed, the dropper injects backdoor code into an instance of svchost, to connect to a command and control (C&C) server and enable further malicious activities.
Organizations are encouraged to upgrade their ManageEngine Desktop Central installations as soon as possible, to ensure they can prevent potential attacks. Those running version 10.1.2127.17 and below should upgrade to 10.1.2127.18, while builds 10.1.2128.0 to 10.1.2137.2 should be upgraded to 10.1.2137.3.
Earlier this month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities Catalog, urging organizations to apply the available patches as soon as possible.
Related: Zoho Confirms New Zero-Day, Ships Exploit Detector
Related: Zoho Confirms Zero-Day Authentication Bypass Attacks
Related: U.S. Agencies Warn of APTs Exploiting Zoho Zero-Day

More from Ionut Arghire
- Blackpoint Raises $190 Million to Help MSPs Combat Cyber Threats
- ‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns
- Google Cloud Now Offering $1 Million Cryptomining Protection
- Pharmaceutical Giant Eisai Takes Systems Offline Following Ransomware Attack
- North Korean Hackers Blamed for $35 Million Atomic Wallet Crypto Theft
- Cisco Patches Critical Vulnerability in Enterprise Collaboration Solutions
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- US, Israel Provide Guidance on Securing Remote Access Software
Latest News
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Blackpoint Raises $190 Million to Help MSPs Combat Cyber Threats
- Google Introduces SAIF, a Framework for Secure AI Development and Use
- ‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- SaaS Ransomware Attack Hit Sharepoint Online Without Using a Compromised Endpoint
- Google Cloud Now Offering $1 Million Cryptomining Protection
- Democrats and Republicans Are Skeptical of US Spying Practices, an AP-NORC Poll Finds
