CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2021-37415

CVSS 9.8v3.1pub. 2021-09-01upd. 2025-10-31

Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Zohocorp Manageengine Servicedesk Plus

    APP
    Zohocorp
    11.011.111.211.3

CISA KEV — detailsi

Vendori
Zoho
Producti
ManageEngine ServiceDesk Plus (SDP)
Added to KEVi
December 1, 2021
Remediation deadline (US Federal)i
December 15, 2021(overdue)
Required action (CISA)i

Apply updates per vendor instructions.

CISA descriptioni

Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 15 grudnia 2021
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2022-47966CRITICAL9.8⚠ KEVten sam produkt

Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code exec...

CVE-2021-44077CRITICAL9.8⚠ KEVten sam produkt

Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus bef...

CVE-2021-44526CRITICAL9.8ten sam produkt

Zoho ManageEngine ServiceDesk Plus before 12003 allows authentication bypass in certain admin configurations.

CVE-2019-8395CRITICAL9.8ten sam produkt

An Insecure Direct Object Reference (IDOR) vulnerability exists in Zoho ManageEngine ServiceDesk Plus (SDP) be...

CVE-2024-38869HIGH8.3ten sam produkt

Zohocorp ManageEngine Endpoint Central affected by Incorrect authorization vulnerability in remote office depl...