Critical vulnerability in Zoho ManageEngine Desktop Central, tool for installing software patches

In a cybersecurity alert, Zoho asked its customers to update their Desktop Central and Desktop Central MSP deployments to the latest version in order to address a critical vulnerability. Tracked as CVE-2021-44515, successful exploitation of this flaw would allow threat actors to evade authentication and execute arbitrary code on vulnerable servers.

In addition to requesting the installation of its updates, Zoho mentions that signs of active exploitation have already been detected, which makes it urgent that vulnerable implementations be updated. The company also recommends using its exploit detection tool to know if an implementation is affected.

In case an administrator finds evidence of compromise, Zoho also recommends initiating a password reset procedure for all services and accounts that have been accessed since the compromised deployment.

When performing a scan with the Shodan tool, the researchers found more than 3,200 implementations of ManageEngine Desktop Central running ports vulnerable to compromise, making this a considerable security risk.

This isn’t the first time Zoho ManageEngine has become an easy target for threat actors. Desktop Central instances have been hacked before, allowing malicious hackers to access compromised networks.

According to a security report, during 2020 multiple malicious accesses to various compromised networks were detected in various parts of the world, mainly the United States, Brazil, Spain and the United Kingdom.

In the face of multiple attack campaigns against these deployments, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued security alerts to warn users that at least two groups of threat actors were exploiting ManageEngine-related vulnerabilities to launch webshells against specific organizations.

Both agencies mentioned that confirming a successful attack can be a complex process, as attackers have been known to run cleanup scripts designed to remove traces of their activity, although this is not impossible.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.