CVE-2021-44077: ManageEngine ServiceDesk Plus RCE Flaw

CVE-2021-44077 Overview

CVE-2021-44077 is a critical unauthenticated remote code execution vulnerability affecting Zoho ManageEngine ServiceDesk Plus before version 11306, ServiceDesk Plus MSP before version 10530, and SupportCenter Plus before version 11014. The vulnerability is related to /RestAPI URLs in a servlet and the ImportTechnicians functionality in the Struts configuration.

This vulnerability allows attackers to execute arbitrary code on vulnerable servers without requiring any authentication, making it particularly dangerous for internet-exposed ManageEngine deployments. The vulnerability has been actively exploited in the wild and is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

Critical Impact
This unauthenticated RCE vulnerability enables complete system compromise of ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP, and SupportCenter Plus servers. Attackers can gain full control over affected systems, potentially accessing sensitive IT service management data, credentials, and using the compromised server as a pivot point for further network intrusion.

Affected Products

Zoho ManageEngine ServiceDesk Plus versions before 11306 (versions 11.1 and 11.2 through 11305)
Zoho ManageEngine ServiceDesk Plus MSP versions before 10530 (version 10.5 through 10529)
Zoho ManageEngine SupportCenter Plus versions before 11014 (version 11.0 through 11013)

Discovery Timeline

November 29, 2021 - CVE-2021-44077 published to NVD
October 31, 2025 - Last updated in NVD database

Technical Details for CVE-2021-44077

Vulnerability Analysis

CVE-2021-44077 represents a severe authentication bypass vulnerability (CWE-306: Missing Authentication for Critical Function) that enables unauthenticated remote code execution in Zoho ManageEngine products. The vulnerability specifically affects the REST API servlet functionality and the ImportTechnicians feature within the Apache Struts configuration.

The flaw allows unauthenticated attackers to access critical API endpoints that should require authentication. By exploiting the misconfigured Struts actions and servlet mappings, attackers can upload malicious files and execute arbitrary commands on the underlying server with the privileges of the ManageEngine service account.

Organizations running vulnerable versions face significant risk, particularly given the EPSS score of 94.25% (99.93 percentile), indicating an extremely high likelihood of exploitation. The vulnerability's inclusion in CISA's KEV catalog confirms active exploitation by threat actors.

Root Cause

The root cause of this vulnerability lies in missing authentication controls for critical functionality within the ManageEngine applications. Specifically:

Improper Servlet Configuration: The /RestAPI URL patterns in the web application servlet configuration lack proper authentication enforcement, allowing unauthenticated access to sensitive endpoints.
Struts Action Misconfiguration: The ImportTechnicians action within the Struts framework configuration does not properly validate authentication status before processing requests, enabling attackers to invoke functionality intended only for authenticated administrators.
Insufficient Access Control: Critical file upload and processing operations can be triggered without proper authorization checks, allowing attackers to upload and execute malicious payloads.

Attack Vector

The attack leverages network-accessible REST API endpoints to achieve code execution:

Initial Access: The attacker sends crafted HTTP requests to the vulnerable /RestAPI endpoints on an exposed ManageEngine server without any authentication credentials.
Payload Delivery: Through the ImportTechnicians functionality or related REST API endpoints, the attacker uploads a malicious payload (typically a web shell or reverse shell) to the server.
Code Execution: The uploaded payload is executed on the server, granting the attacker arbitrary code execution capabilities with the privileges of the ManageEngine service account.
Post-Exploitation: Once code execution is achieved, attackers typically deploy additional tools, establish persistence, harvest credentials, and pivot to other systems within the network.

The attack requires no user interaction and can be performed entirely over the network, making internet-exposed ManageEngine installations particularly vulnerable to automated exploitation campaigns.

Detection Methods for CVE-2021-44077

Indicators of Compromise

Unusual HTTP POST requests to /RestAPI/ImportTechnicians or similar REST API endpoints from external IP addresses
Web shell files appearing in ManageEngine web directories (e.g., *.jsp files in unexpected locations)
Suspicious process execution by the ManageEngine service account, particularly cmd.exe, powershell.exe, or shell processes
Outbound network connections from the ManageEngine server to unknown external IP addresses

Detection Strategies

Deploy web application firewall (WAF) rules to detect and block suspicious requests targeting /RestAPI endpoints with malicious payloads
Monitor ManageEngine application logs for authentication failures followed by successful API access without proper session tokens
Implement endpoint detection rules to identify web shell execution patterns and suspicious file creation in ManageEngine directories
Correlate network traffic anomalies with endpoint behavior to identify exploitation attempts and post-exploitation activity

Monitoring Recommendations

Enable verbose logging for ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP, and SupportCenter Plus REST API access
Configure SIEM alerts for unusual patterns of unauthenticated API requests to ManageEngine servers
Monitor file integrity for ManageEngine web directories to detect unauthorized file uploads or modifications
Review authentication logs for discrepancies between API access patterns and legitimate user activity

How to Mitigate CVE-2021-44077

Immediate Actions Required

Upgrade ManageEngine ServiceDesk Plus to version 11306 or later immediately
Upgrade ManageEngine ServiceDesk Plus MSP to version 10530 or later immediately
Upgrade ManageEngine SupportCenter Plus to version 11014 or later immediately
If immediate patching is not possible, restrict network access to ManageEngine servers from untrusted networks
Conduct forensic analysis of potentially compromised systems to identify indicators of prior exploitation

Patch Information

Zoho has released security patches addressing CVE-2021-44077 for all affected products. Organizations should apply the following minimum versions:

ServiceDesk Plus: Update to version 11306 or later
ServiceDesk Plus MSP: Update to version 10530 or later
SupportCenter Plus: Update to version 11014 or later

Detailed patch information and upgrade instructions are available in the ManageEngine Security Advisory and related vendor advisories for ServiceDesk Plus MSP and SupportCenter Plus.

Workarounds

Implement network segmentation to isolate ManageEngine servers from direct internet exposure using firewalls or access control lists
Deploy a reverse proxy or web application firewall in front of ManageEngine servers to filter malicious requests targeting REST API endpoints
Disable or restrict access to the /RestAPI endpoints if not required for business operations until patching can be completed
Implement IP-based access restrictions to limit access to ManageEngine management interfaces to trusted administrative networks only

bash

# Example: Restrict access to ManageEngine server using iptables
# Allow access only from trusted internal network (adjust CIDR as needed)
iptables -A INPUT -p tcp --dport 8080 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP

# For Windows, use Windows Firewall to restrict access
# netsh advfirewall firewall add rule name="Block ManageEngine External" dir=in action=block protocol=tcp localport=8080
# netsh advfirewall firewall add rule name="Allow ManageEngine Internal" dir=in action=allow protocol=tcp localport=8080 remoteip=10.0.0.0/8

CVE-2021-44077 Overview

Critical Impact
This unauthenticated RCE vulnerability enables complete system compromise of ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP, and SupportCenter Plus servers. Attackers can gain full control over affected systems, potentially accessing sensitive IT service management data, credentials, and using the compromised server as a pivot point for further network intrusion.

Affected Products

Zoho ManageEngine ServiceDesk Plus versions before 11306 (versions 11.1 and 11.2 through 11305)
Zoho ManageEngine ServiceDesk Plus MSP versions before 10530 (version 10.5 through 10529)
Zoho ManageEngine SupportCenter Plus versions before 11014 (version 11.0 through 11013)

Discovery Timeline

November 29, 2021 - CVE-2021-44077 published to NVD
October 31, 2025 - Last updated in NVD database

Technical Details for CVE-2021-44077

Vulnerability Analysis

Root Cause

The root cause of this vulnerability lies in missing authentication controls for critical functionality within the ManageEngine applications. Specifically:

Improper Servlet Configuration: The /RestAPI URL patterns in the web application servlet configuration lack proper authentication enforcement, allowing unauthenticated access to sensitive endpoints.
Struts Action Misconfiguration: The ImportTechnicians action within the Struts framework configuration does not properly validate authentication status before processing requests, enabling attackers to invoke functionality intended only for authenticated administrators.
Insufficient Access Control: Critical file upload and processing operations can be triggered without proper authorization checks, allowing attackers to upload and execute malicious payloads.

Attack Vector

The attack leverages network-accessible REST API endpoints to achieve code execution:

Initial Access: The attacker sends crafted HTTP requests to the vulnerable /RestAPI endpoints on an exposed ManageEngine server without any authentication credentials.
Payload Delivery: Through the ImportTechnicians functionality or related REST API endpoints, the attacker uploads a malicious payload (typically a web shell or reverse shell) to the server.
Code Execution: The uploaded payload is executed on the server, granting the attacker arbitrary code execution capabilities with the privileges of the ManageEngine service account.
Post-Exploitation: Once code execution is achieved, attackers typically deploy additional tools, establish persistence, harvest credentials, and pivot to other systems within the network.

The attack requires no user interaction and can be performed entirely over the network, making internet-exposed ManageEngine installations particularly vulnerable to automated exploitation campaigns.

Detection Methods for CVE-2021-44077

Indicators of Compromise

Unusual HTTP POST requests to /RestAPI/ImportTechnicians or similar REST API endpoints from external IP addresses
Web shell files appearing in ManageEngine web directories (e.g., *.jsp files in unexpected locations)
Suspicious process execution by the ManageEngine service account, particularly cmd.exe, powershell.exe, or shell processes
Outbound network connections from the ManageEngine server to unknown external IP addresses

Detection Strategies

Deploy web application firewall (WAF) rules to detect and block suspicious requests targeting /RestAPI endpoints with malicious payloads
Monitor ManageEngine application logs for authentication failures followed by successful API access without proper session tokens
Implement endpoint detection rules to identify web shell execution patterns and suspicious file creation in ManageEngine directories
Correlate network traffic anomalies with endpoint behavior to identify exploitation attempts and post-exploitation activity

Monitoring Recommendations

Enable verbose logging for ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP, and SupportCenter Plus REST API access
Configure SIEM alerts for unusual patterns of unauthenticated API requests to ManageEngine servers
Monitor file integrity for ManageEngine web directories to detect unauthorized file uploads or modifications
Review authentication logs for discrepancies between API access patterns and legitimate user activity

How to Mitigate CVE-2021-44077

Immediate Actions Required

Upgrade ManageEngine ServiceDesk Plus to version 11306 or later immediately
Upgrade ManageEngine ServiceDesk Plus MSP to version 10530 or later immediately
Upgrade ManageEngine SupportCenter Plus to version 11014 or later immediately
If immediate patching is not possible, restrict network access to ManageEngine servers from untrusted networks
Conduct forensic analysis of potentially compromised systems to identify indicators of prior exploitation

Patch Information

Zoho has released security patches addressing CVE-2021-44077 for all affected products. Organizations should apply the following minimum versions:

ServiceDesk Plus: Update to version 11306 or later
ServiceDesk Plus MSP: Update to version 10530 or later
SupportCenter Plus: Update to version 11014 or later

Detailed patch information and upgrade instructions are available in the ManageEngine Security Advisory and related vendor advisories for ServiceDesk Plus MSP and SupportCenter Plus.

Workarounds

Implement network segmentation to isolate ManageEngine servers from direct internet exposure using firewalls or access control lists
Deploy a reverse proxy or web application firewall in front of ManageEngine servers to filter malicious requests targeting REST API endpoints
Disable or restrict access to the /RestAPI endpoints if not required for business operations until patching can be completed
Implement IP-based access restrictions to limit access to ManageEngine management interfaces to trusted administrative networks only

bash

# Example: Restrict access to ManageEngine server using iptables
# Allow access only from trusted internal network (adjust CIDR as needed)
iptables -A INPUT -p tcp --dport 8080 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP

# For Windows, use Windows Firewall to restrict access
# netsh advfirewall firewall add rule name="Block ManageEngine External" dir=in action=block protocol=tcp localport=8080
# netsh advfirewall firewall add rule name="Allow ManageEngine Internal" dir=in action=allow protocol=tcp localport=8080 remoteip=10.0.0.0/8

CVE-2021-44077: ManageEngine ServiceDesk Plus RCE Flaw

CVE-2021-44077 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2021-44077

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2021-44077

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2021-44077

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2021-44077: ManageEngine ServiceDesk Plus RCE Flaw

CVE-2021-44077 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2021-44077

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2021-44077

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2021-44077

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform