CVE-2021-37415

What is Zoho ManageEngine ServiceDesk Plus?

Zoho ManageEngine ServiceDesk Plus (SDP) is an enterprise IT helpdesk and IT service management (ITSM) platform used by thousands of organizations to manage support tickets, asset inventory, change management, and IT service delivery. ServiceDesk Plus stores sensitive information including employee contact data, IT asset configurations, and credentials submitted via support tickets. It integrates with Active Directory and often runs in a privileged network position with access to IT management systems.

Overview

CVE-2021-37415 is an authentication bypass vulnerability (CWE-306 — missing authentication for critical function) in Zoho ManageEngine ServiceDesk Plus before build 11302. Certain REST API URLs are accessible without authentication due to missing or incorrectly configured authentication checks. An unauthenticated attacker can access these endpoints to retrieve sensitive data, create or modify records, or in combination with other weaknesses, achieve account takeover. This is a distinct and earlier vulnerability from CVE-2021-44077 (the later unauthenticated file upload RCE).

Affected Versions

Technical Details

ServiceDesk Plus uses a Java Servlet filter to enforce authentication on web requests. The filter's URL pattern matching fails to cover certain REST API endpoints:

• Root cause: Missing authentication (CWE-306) — specific REST API URL patterns are not matched by the authentication enforcement filter, making them accessible without authentication
• Accessible data: Unauthenticated access to REST API endpoints can expose ticket data, user account information, asset inventory, and ServiceDesk configuration
• Account operations: Some unauthenticated REST API endpoints may allow modification of account states or retrieval of sensitive data that enables further exploitation
• Relationship to CVE-2021-44077: CVE-2021-37415 (August 2021) is an earlier auth bypass; CVE-2021-44077 (November 2021) is a more severe unauthenticated file upload RCE — organizations may have patched the file upload RCE while remaining unaware of this earlier auth bypass if they did not upgrade to builds that fix both

Discovery

Identified by security researchers examining ManageEngine ServiceDesk Plus REST API security. Reported and patched in August 2021.

Exploitation Context

ManageEngine IT management products have been recurring targets for APT groups due to their privileged access to enterprise IT infrastructure. ServiceDesk Plus with unauthenticated REST API access exposes help desk data and potentially enables enumeration of users, assets, and IT configurations that facilitate further attacks. The CISA KEV addition in December 2021 reflects confirmed exploitation in the wild.

Remediation

1. Upgrade ServiceDesk Plus to Build 11302 or later (also upgrade to Build 11306 to address the subsequent CVE-2021-44077 file upload RCE)
2. Restrict ServiceDesk Plus web interface access to internal/VPN-connected users only
3. Review ServiceDesk Plus REST API access logs for unauthenticated requests during the vulnerable period
4. Audit ticket contents and exported data for potential unauthorized access
5. Rotate credentials for any service accounts used by ServiceDesk Plus for AD integration