Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Zoho Confirms New Zero-Day, Ships Exploit Detector

The security problems at enterprise software provider Zoho continue to multiply with confirmation of a new critical authentication bypass vulnerability — the third in four months — being exploited in the wild by advanced threat actors.

The security problems at enterprise software provider Zoho continue to multiply with confirmation of a new critical authentication bypass vulnerability — the third in four months — being exploited in the wild by advanced threat actors.

The Indian multinational firm, which sells a wide range of productivity and collaboration apps to businesses, confirmed the new zero-day exploitation over the weekend and released an exploit detection tool to help defenders spot signs of compromise.

The new security vulnerability — CVE-2021-44515 — was identified in Zoho’s ManageEngine Desktop Central, an IT and network management tool that Zoho says is used by more than 40,000 global companies.

“As we are noticing indications of exploitation of this vulnerability, we strongly advise customers to update their installations to the latest build as soon as possible,” according to Zoho’s latest red-alarm warning.

Zoho said the newest CVE-2021-44515 flaw affects customers of the Professional and Enterprise editions of ServiceDesk Plus who use the Desktop Central agent for asset discovery, and warned of the risk of remote code execution attacks. 

[ READ: U.S. Agencies Warn of APTs Exploiting Zoho Zero-Day ]

Over the last weekend, Zoho shipped an exploit detection tool (direct ZIP file download) to help on-prem installations run scans for signs of compromise. Security researchers are also publicly sharing YARA rules to detect signs of malicious activity.

This is the third Zoho vulnerability being exploited in the wild and the U.S. government has issued multiple warnings — and firm deadlines — for its agencies to mitigate issues introduced via Zoho’s software products.

As SecurityWeek has reported, in-the-wild exploits for the Zoho vulnerabilities have been observed in malware attacks against businesses around the world since at least September 2021.

The two other vulnerabilities under active exploitation are CVE-2021-37415 and CVE-2021-44077 and law enforcement officials have pushed out Indicators of Compromise (IOCs) and other technical artifacts to help businesses find and disinfect compromised systems.

[ READ: CISA Adds Zoho Flaws to Federal ‘Must-Patch’ List ]

According to data from Palo Alto Networks, skilled hacking groups linked to China have already compromised at least 13 corporate entities via Zoho software exploitation.   Victim organisations span the technology, energy, healthcare, education, finance and defense industries.

Palo Alto Networks has found evidence of more than 4,700 internet-facing instances of the ServiceDesk Plus software globally, and 2,900 (or 62 percent) are assessed to be vulnerable to exploitation.

“While we have been unable to identify any publicly available proof of concept code for this vulnerability, it is now clear that the actor has successfully determined how to exploit unpatched versions of the software. Additionally, upon exploitation, the actor has been observed uploading a new dropper to victim systems,” the company warned.

Related: CISA Adds Zoho, Qualcomm, Mikrotik Flaws to ‘Must-Patch’ List

Related: U.S. Agencies Warn of APTs Exploiting Recent Zoho Zero-Day

Related: Zoho Confirms Zero-Day Authentication Bypass Attacks

Related: Zoho Working on Patch for Zero-Day Vulnerability in ManageEngine Product 

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Cloud Security

Orca Security published details on four server-side request forgery (SSRF) vulnerabilities impacting different Azure services.

Application Security

A new report finds that barely 1% of all SBOMs being generated today meets the “minimum elements” defined by the U.S. government.