Attackers exploit another zero-day in ManageEngine software (CVE-2021-44515)
A vulnerability (CVE-2021-44515) in ManageEngine Desktop Central is being leveraged in attacks in the wild to gain access to server running the vulnerable software.
About CVE-2021-44515
CVE-2021-44515 is an authentication bypass vulnerability that could be triggered by attackers by sending a specially crafted request, with the goal of achieving unauthenticated remote code execution.
The issue is considered critical by the company and affects ManageEngine Desktop Central – a unified endpoint management (UEM) solution – and ManageEngine Desktop Central MSP – endpoint management software for MSPs. If installations of the latter are compromised, attackers could use the access to compromise endpoints and networks of MSPs’s client organizations.
ManageEngine has fixed the vulnerability and is advising customers to take action. “As we are noticing indications of exploitation of this vulnerability, we strongly advise customers to update their installations to the latest build as soon as possible,” they noted.
They have also offered an exploit detection tool customers can use to check whether their installation has been compromised via this flaw; indicators of compromise; and advice on incident response actions to take whether or not they’ve been hit.
About the attacks
ManageEngine did not share the nature of the attacks.
Claire Tills, senior research engineer at Tenable, said there are no known public proofs-of-concept exploits for CVE-2021-44515 available as of December 6.
It seems likely that attackers have created their own, as it apparently happened for an authentication bypass vulnerability (CVE-2021-44077) in ManageEngine ServiceDesk Plus. Those attacks have been tied to an APT group that has been exploiting vulnerabilities in different ManageEngine solutions in the last five months.
Researchers with Palo Alto Networks’ Unit 42 have also urged MSPs to update their ManageEngine Password Manager Pro software, as they have found evidence the attackers might be preparing to leverage a known vulnerability affecting it.
UPDATE (December 21, 2021, 01:47 a.m. PT):
The FBI has released additional technical details about APTs exploiting CVE-2021-44515, as well as some IoCs.