Each of two flaws allow attackers to bypass authentication, leaving customers of MSPs that use ManageEngine at risk. Patches are available. Credit: altayb / RGBAlpha / Getty Images Hackers are exploiting a critical authentication bypass vulnerability in ManageEngine Desktop Central MSP, an endpoint management tool used by managed service providers (MSPs). Attacks started before ManageEngine issued a patch, so all customers are advised to check their systems for signs of exploitation using a special tool released by the developers.ManageEngine is a division of business software developer Zoho that’s focused on IT management software. The division maintains a portfolio of over 90 products and free tools that are used by millions of system administrators in more than 180,000 companies around the world. News of this latest zero-day vulnerability comes after hackers exploited at least two other flaws in ManageEngine products this year. Attacks against MSPs and their tools have seen a rise over the past several years due to hackers realizing that compromising such organizations can provide an easy way into the networks of thousands of businesses that rely on them to manage their IT assets.Multiple authentication bypassesThe vulnerability in ManageEngine Desktop Central MSP is tracked as CVE-2021-44515 and was patched on December 3, 2021. It allows attackers to bypass authentication and execute arbitrary code in the Desktop Central MSP server.The company released builds 10.1.2127.18 and 10.1.2137.3 for the enterprise and MSP versions of the product. In addition, a tool has been released that can scan existing deployments for signs of the known exploit. If a compromised installation is detected, the company advises a series of steps that include: Disconnect the affected machine from the network.Make a backup of the Desktop Central MSP configuration and critical business data.Format the compromised machine.Deploy the same software build, preferably on a new machine.Restore the backup.Upgrade the installation to the latest patched version.In addition, the company highly recommends resetting the password for all services, accounts and Active Directory (AD) systems that have been accessed from the compromised machine. Resetting the AD admin password is also advisable. On December 3, Zoho also patched a separate authentication bypass flaw in another ManageEngine product called ServiceDesk Plus that’s used for IT help desk and asset management. Tracked as CVE-2021-44526, this flaw impacts the on-premises deployments of the product up to version 12002. “This vulnerability can allow an adversary to bypass authentication and access Templates’ field and form rules, Technician Auto Assign settings, the Asset Field’s Allowed Values, Translation and Change SLA configurations, the Assets associated to a user, and role details from Change Templates, as well as reorder the Service Catalog,” the company explained.Users are advised to upgrade to builds 11149, 11212 or 11311 or 12003, depending on the ServiceDesk Plus version they’re currently using. It’s also important to note that Professional and Enterprise ServiceDesk Plus deployments that use the Desktop Central agent for asset discovery are also impacted by the previously mentioned CVE-2021-44515 vulnerability.Past attacks have used IT management tools for MSPsOn December 2, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) together with the FBI issued an advisory about active attacks targeting an older ManageEngine ServiceDesk Plus vulnerability that was patched in September. Tracked as CVE-2021-44077, that flaw allows for unauthenticated remote code execution on affected systems.“The FBI and CISA assess that advanced persistent threat (APT) cyber actors are among those exploiting the vulnerability,” the agencies said. “Successful exploitation of the vulnerability allows an attacker to upload executable files and place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.”In September, CISA, the FBI and the United States Coast Guard Cyber Command (CGCYBER) issued a similar advisory to warn about attacks, also by APT actors, exploiting an authentication bypass vulnerability in a ManageEngine single sign-on solution called ADSelfService Plus.It’s clear that attackers are showing an interest in ManageEngine products, but the company’s tools are not the only IT management applications that have been targeted. In July, hackers exploited a vulnerability in a remote management tool called Kaseya VSA that’s used by many MSPs. The incident led to the compromise of hundreds of businesses worldwide and their infection with the REvil ransomware. In 2019, ransomware groups exploited an old vulnerability in the ConnectWise ManagedITSync integration, a utility designed to sync data between the ConnectWise Manage PSA and the Kaseya VSA RMM, to compromise MSPs. Related content feature How to pick the best endpoint detection and response solution EDR software has emerged as one of the preeminent tools in the CISO’s arsenal. Here’s what to look for and what to avoid when choosing EDR software. By Linda Rosencrance Sep 25, 2023 10 mins Intrusion Detection Software Intrusion Detection Software Intrusion Detection Software feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Data and Information Security IT Leadership brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe