CVE-2021-44077

CRITICAL KEV NUCLEI

ManageEngine ServiceDesk Plus CVE-2021-44077

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2021-44077 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added December 1, 2021. EIP tracks 3 public exploits from researchers including horizon3ai, pizza-power, wvu, Y4er, including a Metasploit module exploits/windows/http/manageengine_servicedesk_plus_cve_2021_44077. A Nuclei detection template is also available.

AI-analyzed exploit summary This is a functional exploit for CVE-2021-44077, a pre-authentication RCE vulnerability in ManageEngine ServiceDesk Plus. It uploads an executable via an unauthenticated file upload endpoint and triggers execution via a separate endpoint.

Description

Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration.

Exploits (3)

nomisec WORKING POC 35 stars
by horizon3ai · remote
https://github.com/horizon3ai/CVE-2021-44077

This is a functional exploit for CVE-2021-44077, a pre-authentication RCE vulnerability in ManageEngine ServiceDesk Plus. It uploads an executable via an unauthenticated file upload endpoint and triggers execution via a separate endpoint.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: ManageEngine ServiceDesk Plus < 11306
No auth needed
Prerequisites: Network access to the target · A compiled executable payload
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by pizza-power · remote
https://github.com/pizza-power/Golang-CVE-2021-44077-POC

This is a Golang-based PoC for CVE-2021-44077, an unauthenticated RCE vulnerability in Zoho ManageEngine ServiceDesk Plus < 11306. The exploit uploads a malicious file via an unauthenticated endpoint and triggers execution via a separate endpoint.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Zoho ManageEngine ServiceDesk Plus < 11306
No auth needed
Prerequisites: Network access to the target · A malicious executable file
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by wvu, Y4er · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/manageengine_servicedesk_plus_cve_2021_44077.rb

This Metasploit module exploits CVE-2021-44077, an unauthenticated RCE vulnerability in ManageEngine ServiceDesk Plus, by uploading a malicious EXE (msiexec.exe) and executing it as SYSTEM via an authentication bypass and file upload flaw.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ManageEngine ServiceDesk Plus (versions up to 11305)
No auth needed
Prerequisites: Network access to target · ServiceDesk Plus vulnerable endpoint exposed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Zoho ManageEngine ServiceDesk Plus - Remote Code Execution
CRITICALby Adam Crosser,gy741
Shodan: http.title:"manageengine servicedesk plus"
FOFA: title="manageengine servicedesk plus"

References (6)

Core 6
Core References

Scores

CVSS v3 9.8
EPSS 0.9430
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2021-12-01
VulnCheck KEV 2021-12-01
InTheWild.io 2021-12-01
ENISA EUVD EUVD-2021-30936
CWE
CWE-306
Status published
Products (5)
zohocorp/manageengine_servicedesk_plus 11.1 11138 (8 CPE variants)
zohocorp/manageengine_servicedesk_plus 11.2 11200 (12 CPE variants)
zohocorp/manageengine_servicedesk_plus 11.3 11300 (6 CPE variants)
zohocorp/manageengine_servicedesk_plus < 11.1
zohocorp/manageengine_servicedesk_plus_msp 10.5 10500 (23 CPE variants)
Published Nov 29, 2021
KEV Added Dec 01, 2021
Tracked Since Feb 18, 2026