Connect with us

Hi, what are you looking for?


Application Security

Zoho Confirms New Zero-Day, Ships Exploit Detector

The security problems at enterprise software provider Zoho continue to multiply with confirmation of a new critical authentication bypass vulnerability — the third in four months — being exploited in the wild by advanced threat actors.

The security problems at enterprise software provider Zoho continue to multiply with confirmation of a new critical authentication bypass vulnerability — the third in four months — being exploited in the wild by advanced threat actors.

The Indian multinational firm, which sells a wide range of productivity and collaboration apps to businesses, confirmed the new zero-day exploitation over the weekend and released an exploit detection tool to help defenders spot signs of compromise.

The new security vulnerability — CVE-2021-44515 — was identified in Zoho’s ManageEngine Desktop Central, an IT and network management tool that Zoho says is used by more than 40,000 global companies.

“As we are noticing indications of exploitation of this vulnerability, we strongly advise customers to update their installations to the latest build as soon as possible,” according to Zoho’s latest red-alarm warning.

Zoho said the newest CVE-2021-44515 flaw affects customers of the Professional and Enterprise editions of ServiceDesk Plus who use the Desktop Central agent for asset discovery, and warned of the risk of remote code execution attacks. 

[ READ: U.S. Agencies Warn of APTs Exploiting Zoho Zero-Day ]

Over the last weekend, Zoho shipped an exploit detection tool (direct ZIP file download) to help on-prem installations run scans for signs of compromise. Security researchers are also publicly sharing YARA rules to detect signs of malicious activity.

Advertisement. Scroll to continue reading.

This is the third Zoho vulnerability being exploited in the wild and the U.S. government has issued multiple warnings — and firm deadlines — for its agencies to mitigate issues introduced via Zoho’s software products.

As SecurityWeek has reported, in-the-wild exploits for the Zoho vulnerabilities have been observed in malware attacks against businesses around the world since at least September 2021.

The two other vulnerabilities under active exploitation are CVE-2021-37415 and CVE-2021-44077 and law enforcement officials have pushed out Indicators of Compromise (IOCs) and other technical artifacts to help businesses find and disinfect compromised systems.

[ READ: CISA Adds Zoho Flaws to Federal ‘Must-Patch’ List ]

According to data from Palo Alto Networks, skilled hacking groups linked to China have already compromised at least 13 corporate entities via Zoho software exploitation.   Victim organisations span the technology, energy, healthcare, education, finance and defense industries.

Palo Alto Networks has found evidence of more than 4,700 internet-facing instances of the ServiceDesk Plus software globally, and 2,900 (or 62 percent) are assessed to be vulnerable to exploitation.

“While we have been unable to identify any publicly available proof of concept code for this vulnerability, it is now clear that the actor has successfully determined how to exploit unpatched versions of the software. Additionally, upon exploitation, the actor has been observed uploading a new dropper to victim systems,” the company warned.

Related: CISA Adds Zoho, Qualcomm, Mikrotik Flaws to ‘Must-Patch’ List

Related: U.S. Agencies Warn of APTs Exploiting Recent Zoho Zero-Day

Related: Zoho Confirms Zero-Day Authentication Bypass Attacks

Related: Zoho Working on Patch for Zero-Day Vulnerability in ManageEngine Product 

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.