CVE-2021-31159

MEDIUM

Zoho ManageEngine ServiceDesk Plus MSP <10519 - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2021-31159. PoCs published by Ricardo Ruiz, ricardojoserf.

AI-analyzed exploit summary This exploit leverages a user enumeration vulnerability in Zoho ManageEngine ServiceDesk Plus MSP by comparing response sizes from the ForgotPassword.sd endpoint to determine valid usernames. It iterates through a provided list of users and outputs valid ones.

Description

Zoho ManageEngine ServiceDesk Plus MSP before 10519 is vulnerable to a User Enumeration bug due to improper error-message generation in the Forgot Password functionality, aka SDPMSP-15732.

Exploits (2)

exploitdb WORKING POC

by Ricardo Ruiz · pythonwebappsjava

https://www.exploit-db.com/exploits/50027

View Code ZIP pw:eip

This exploit leverages a user enumeration vulnerability in Zoho ManageEngine ServiceDesk Plus MSP by comparing response sizes from the ForgotPassword.sd endpoint to determine valid usernames. It iterates through a provided list of users and outputs valid ones.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Zoho ManageEngine ServiceDesk Plus MSP < build 10519

No auth needed

Prerequisites: Target URL · Domain name · List of usernames to test

MITRE ATT&CK

T1589 - Gather Victim Identity Information

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 3 stars

by ricardojoserf · poc

https://github.com/ricardojoserf/CVE-2021-31159

View Code ZIP pw:eip

This repository contains a functional exploit script for CVE-2021-31159, which leverages a difference in response sizes from the password recovery functionality in Zoho ManageEngine ServiceDesk Plus MSP to enumerate Active Directory users. The script automates the process by comparing response sizes for valid and invalid users.

Classification

Working Poc 100%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Zoho ManageEngine ServiceDesk Plus MSP (versions before build 10519)

No auth needed

Prerequisites: Target URL with vulnerable ServiceDesk Plus MSP instance · Domain name for Active Directory · List of potential usernames to test

MITRE ATT&CK

T1589.001 - Credentials

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4

Core References

Product x_refsource_misc

https://www.manageengine.com

Release Notes, Vendor Advisory x_refsource_confirm

https://www.manageengine.com/products/service-desk-msp/readme.html#10519

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/163192/Zoho-ManageEngine-ServiceDesk-Plus-9.4-User-Enumeration.html

Exploit, Third Party Advisory x_refsource_misc

https://github.com/ricardojoserf/CVE-2021-31159

Scores

CVSS v3 5.3

EPSS 0.1777

EPSS Percentile 96.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-209

Status published

Products (1)

zohocorp/manageengine_servicedesk_plus_msp 10.5 10500 (50 CPE variants)

Published Jun 16, 2021

Tracked Since Feb 18, 2026