CVE-2021-44077

What is Zoho ManageEngine ServiceDesk Plus?

Zoho ManageEngine ServiceDesk Plus (SDP) is an enterprise IT helpdesk and service management platform used by organizations to manage IT support tickets, asset inventory, and IT service delivery. It is deployed in thousands of organizations across government, defense, healthcare, and enterprise sectors. SDP often contains sensitive information: employee contact data, asset configurations, VPN credentials submitted via support tickets, and links to other IT management systems. Compromising ServiceDesk Plus provides an attacker with insider access to IT operations and a platform for further network penetration.

Overview

CVE-2021-44077 is a critical unauthenticated remote code execution vulnerability (CWE-306 — missing authentication for critical function) in Zoho ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP, and SupportCenter Plus. An unauthenticated attacker can upload arbitrary files through an exposed file upload endpoint and execute code on the server. Palo Alto Unit 42 attributed active exploitation to TiltedTemple, a Chinese-nexus APT group, who used this vulnerability to compromise hundreds of organizations' IT helpdesk infrastructure in late 2021.

Affected Versions

Technical Details

The vulnerability stems from an API endpoint that handles file attachments for IT tickets and requests. This endpoint did not enforce authentication, allowing unauthenticated HTTP clients to upload files directly to the server's filesystem:

• Root cause: Missing authentication on a file upload endpoint (CWE-306) — the endpoint intended for ticket attachments was accessible without credentials
• Attack path: Unauthenticated attacker sends a multipart HTTP POST with a JSP/ASPX webshell to the upload endpoint → the file is written to a web-accessible directory → attacker accesses the webshell URL to execute commands
• Execution context: Code executes as the ServiceDesk Plus service account (often a domain-privileged account for AD integration)
• Scale of exposure: ManageEngine SDP is often internet-facing to support remote helpdesk operations, dramatically widening the attack surface

Discovery

Identified and reported to ManageEngine. Palo Alto Unit 42 documented active exploitation in their TiltedTemple research, connecting exploitation of this vulnerability to a broader APT campaign targeting ManageEngine products.

Exploitation Context

TiltedTemple (a Chinese-nexus threat actor) exploited CVE-2021-44077 in campaigns targeting organizations in defense, technology, transportation, healthcare, and education sectors. The actor used the initial foothold to deploy webshells, enumerate the network, extract Active Directory credentials, and establish persistent access. ManageEngine's position as IT management infrastructure made it ideal for lateral movement — support for VPN configurations, server access credentials, and network documentation flowed through the compromised system.

Remediation

1. Upgrade to ServiceDesk Plus 11306 (or SDP MSP 10530 / SupportCenter Plus 11014) or later immediately
2. Check for deployed webshells in the ServiceDesk Plus web directory — look for unexpected JSP/ASPX files modified around the time of potential exploitation
3. Review ServiceDesk Plus access logs for unauthenticated file upload requests
4. Restrict the ServiceDesk Plus web interface to internal/VPN-connected IPs where possible
5. Audit Active Directory for unauthorized accounts or privilege changes made using credentials that may have been exposed through ServiceDesk Plus
6. Rotate all service account credentials used by ServiceDesk Plus for AD and database integration