CVE-2021-42954

HIGH

Zoho Remote Access Plus Server - Privilege Escalation

Title source: llm

Description

Zoho Remote Access Plus Server Windows Desktop Binary fixed from 10.1.2121.1 is affected by incorrect access control. The installation directory is vulnerable to weak file permissions by allowing full control for Windows Everyone user group (non-admin or any guest users), thereby allowing privilege escalation, unauthorized password reset, stealing of sensitive data, access to credentials in plaintext, access to registry values, tampering with configuration files, etc.

References (1)

Core 1

Core References

Exploit, Third Party Advisory x_refsource_misc

https://medium.com/nestedif/vulnerability-disclosure-improper-filesystem-permission-misconfigured-acls-zoho-r-a-p-56e195464b51

Scores

CVSS v3 7.8

EPSS 0.0004

EPSS Percentile 12.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-732

Status published

Products (1)

zohocorp/manageengine_remote_access_plus < 10.1.2121.1

Published Nov 17, 2021

Tracked Since Feb 18, 2026