Enterprise Software maker Zoho Monday released patches to fix a critical security flaw in Desktop Central MSP and Desktop Central MSP. A remote attacker could use this vulnerability to take unauthorized action on affected servers.
Tracked as CVE-2021-44757, the shortcoming concerns an instance of authentication bypass that “may allow an attacker to read unauthorized data or write an arbitrary zip file on the server,” the company noted in an advisory.
Osword, SGLAB of Legendsec in Qi’anxin Group was credited for discovering the vulnerability and reporting it. The Indian firm said it remediated the issue in build version 10.1.2137.9.
With the latest fix, Zoho has addressed a total of four vulnerabilities over the past five months —
- CVE-2021-40539 (CVSS score: 9. 8) – Authentication bypass vulnerability affecting Zoho ManageEngine ADSelfService Plus
- CVE-2021-44077 (CVSS score: 9. 8) – Unauthenticated remote code execution vulnerability affecting Zoho ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP, and SupportCenter Plus, and
- CVE-2021-44515 (CVSS score: 9. 8) – Authentication bypass vulnerability affecting Zoho ManageEngine Desktop Central
In light of the fact that all the three aforementioned flaws have been exploited by malicious actors, it’s recommended that users apply the updates as soon as possible to mitigate any potential threats.