APT Actors Still Exploiting Critical Flaw in ManageEngine Desktop Central Weeks after Vendor-Issued Patch

The FBI’s Cyber Division is warning ManageEngine customers that cyber actors are actively exploiting a critical vulnerability in the Zoho-owned endpoint management software. A patch has been available for weeks, but many users have yet to apply the fix.

ManageEngine Desktop Central, owned by Zoho Corporation, is a Unified Endpoint Management (UEM) platform that facilitates software deployment, mobile device management, OS Deployment, remote access, and even patch management. Any security issue with the software can therefore open up a can of worms for IT admins and regular users alike.

The FBI has issued a flash advisory warning users that hackers are actively targeting a critical security flaw in the platform even though a vendor-issued patch has been available since early December. This activity has been recorded by researchers since at least October.

“Since at least late October 2021, APT actors have been actively exploiting a zero-day, now identified as CVE-2021-44515, on ManageEngine Desktop Central servers,” the Fed's cyber division says in the flash warning.

“The APT actors were observed compromising Desktop Central servers, dropping a webshell that overrides a legitimate function of Desktop Central, downloading post-exploitation tools, enumerating domain users and groups, conducting network reconnaissance, attempting lateral movement and dumping credentials,” it explains, following with a comprehensive list of technical details, including indicators of compromise and recommended mitigations.

As detailed by the vendor earlier this month, CVE-2021-44515 is an authentication bypass vulnerability in ManageEngine Desktop Central that could result in remote code execution.

“If exploited, the attackers can gain unauthorized access to the product by sending a specially crafted request leading to remote code execution,” according to the advisory.

Zoho rates the flaw as ‘critical’ and urges customers to update their installations to the latest build as soon as possible.

The vendor has issued documentation for both Desktop Central and Desktop Central MSP that can help IT admins verify if this vulnerability applies to their set-up and remediate it.