According to a company advisory, The flaw, identified as CVE-2021-44757, is a case of authentication bypass that “may allow an attacker to read unauthorised data or write an arbitrary zip file on the server.”
Zoho, an enterprise software company, issued updates on Monday for a critical security vulnerability in Desktop Central and Desktop Central MSP that a remote adversary could exploit to perform unauthorised actions on affected servers.
The vulnerability was discovered and reported by Osword from SGLAB of Legendsec at Qi’anxin Group. The problem has been fixed in build version 10.1.2137.9.
With this latest patch, Zoho has addressed vulnerabilities in the last five months
- CVE-2021-40539 (CVSS score: 9.8) – Authentication bypass vulnerability affecting Zoho ManageEngine ADSelfService Plus.
- CVE-2021-44077 (CVSS score: 9.8) – Unauthenticated remote code execution vulnerability affecting Zoho ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP and SupportCenter Plus and
- CVE-2021-44515 (CVSS score: 9.8) – Authentication bypass vulnerability affecting Zoho ManageEngine Desktop Central.
Given that all three of the above- mentioned flaws have been exploited by malicious actors.
Finally the researchers concluded that,” users should apply the updates as soon as possible to mitigate any potential threats.