CVE-2021-44675

CRITICAL

ManageEngine ServiceDesk Plus MSP < 10.5 - Unauthenticated Remote Code Execution via Authentication Bypass

Title source: llm

Description

Zoho ManageEngine ServiceDesk Plus MSP before 10.5 Build 10534 is vulnerable to unauthenticated remote code execution due to a filter bypass in which authentication is not required.

References (1)

Core 1

Core References

Vendor Advisory x_refsource_confirm

https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-authentication-bypass-vulnerabilities-in-servicedesk-plus-msp-that-could-lead-to-remote-code-execution

Scores

CVSS v3 9.8

EPSS 0.0254

EPSS Percentile 85.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-287

Status published

Products (2)

zohocorp/manageengine_servicedesk_plus_msp 10.5 10500 (34 CPE variants)

zohocorp/manageengine_servicedesk_plus_msp < 10.5

Published Dec 20, 2021

Tracked Since Feb 18, 2026