Security Experts:

Zoho Confirms New Zero-Day, Ships Exploit Detector

The security problems at enterprise software provider Zoho continue to multiply with confirmation of a new critical authentication bypass vulnerability -- the third in four months -- being exploited in the wild by advanced threat actors.

The Indian multinational firm, which sells a wide range of productivity and collaboration apps to businesses, confirmed the new zero-day exploitation over the weekend and released an exploit detection tool to help defenders spot signs of compromise.

The new security vulnerability -- CVE-2021-44515 -- was identified in Zoho’s ManageEngine Desktop Central, an IT and network management tool that Zoho says is used by more than 40,000 global companies.

“As we are noticing indications of exploitation of this vulnerability, we strongly advise customers to update their installations to the latest build as soon as possible,” according to Zoho’s latest red-alarm warning.

Zoho said the newest CVE-2021-44515 flaw affects customers of the Professional and Enterprise editions of ServiceDesk Plus who use the Desktop Central agent for asset discovery, and warned of the risk of remote code execution attacks. 

[ READ: U.S. Agencies Warn of APTs Exploiting Zoho Zero-Day ]

Over the last weekend, Zoho shipped an exploit detection tool (direct ZIP file download) to help on-prem installations run scans for signs of compromise. Security researchers are also publicly sharing YARA rules to detect signs of malicious activity.

This is the third Zoho vulnerability being exploited in the wild and the U.S. government has issued multiple warnings -- and firm deadlines -- for its agencies to mitigate issues introduced via Zoho’s software products.

As SecurityWeek has reported, in-the-wild exploits for the Zoho vulnerabilities have been observed in malware attacks against businesses around the world since at least September 2021.

The two other vulnerabilities under active exploitation are CVE-2021-37415 and CVE-2021-44077 and law enforcement officials have pushed out Indicators of Compromise (IOCs) and other technical artifacts to help businesses find and disinfect compromised systems.

[ READ: CISA Adds Zoho Flaws to Federal 'Must-Patch' List ]

According to data from Palo Alto Networks, skilled hacking groups linked to China have already compromised at least 13 corporate entities via Zoho software exploitation.   Victim organisations span the technology, energy, healthcare, education, finance and defense industries.

Palo Alto Networks has found evidence of more than 4,700 internet-facing instances of the ServiceDesk Plus software globally, and 2,900 (or 62 percent) are assessed to be vulnerable to exploitation.

“While we have been unable to identify any publicly available proof of concept code for this vulnerability, it is now clear that the actor has successfully determined how to exploit unpatched versions of the software. Additionally, upon exploitation, the actor has been observed uploading a new dropper to victim systems,” the company warned.

Related: CISA Adds Zoho, Qualcomm, Mikrotik Flaws to 'Must-Patch' List

Related: U.S. Agencies Warn of APTs Exploiting Recent Zoho Zero-Day

Related: Zoho Confirms Zero-Day Authentication Bypass Attacks

Related: Zoho Working on Patch for Zero-Day Vulnerability in ManageEngine Product 

view counter
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a journalist and cybersecurity strategist with more than 20 years experience covering IT security and technology trends. Ryan has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and Kaspersky GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan's career as a journalist includes bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive's ZDNet, PCMag and PC World. Ryan is a director of the Security Tinkerers non-profit, and a regular speaker at security conferences around the world. Follow Ryan on Twitter @ryanaraine.