Each of two flaws allow attackers to bypass authentication, leaving customers of MSPs that use ManageEngine at risk. Patches are available. Credit: altayb / RGBAlpha / Getty Images Hackers are exploiting a critical authentication bypass vulnerability in ManageEngine Desktop Central MSP, an endpoint management tool used by managed service providers (MSPs). Attacks started before ManageEngine issued a patch, so all customers are advised to check their systems for signs of exploitation using a special tool released by the developers.ManageEngine is a division of business software developer Zoho that’s focused on IT management software. The division maintains a portfolio of over 90 products and free tools that are used by millions of system administrators in more than 180,000 companies around the world. News of this latest zero-day vulnerability comes after hackers exploited at least two other flaws in ManageEngine products this year. Attacks against MSPs and their tools have seen a rise over the past several years due to hackers realizing that compromising such organizations can provide an easy way into the networks of thousands of businesses that rely on them to manage their IT assets.Multiple authentication bypassesThe vulnerability in ManageEngine Desktop Central MSP is tracked as CVE-2021-44515 and was patched on December 3, 2021. It allows attackers to bypass authentication and execute arbitrary code in the Desktop Central MSP server.The company released builds 10.1.2127.18 and 10.1.2137.3 for the enterprise and MSP versions of the product. In addition, a tool has been released that can scan existing deployments for signs of the known exploit. If a compromised installation is detected, the company advises a series of steps that include: Disconnect the affected machine from the network.Make a backup of the Desktop Central MSP configuration and critical business data.Format the compromised machine.Deploy the same software build, preferably on a new machine.Restore the backup.Upgrade the installation to the latest patched version.In addition, the company highly recommends resetting the password for all services, accounts and Active Directory (AD) systems that have been accessed from the compromised machine. Resetting the AD admin password is also advisable. On December 3, Zoho also patched a separate authentication bypass flaw in another ManageEngine product called ServiceDesk Plus that’s used for IT help desk and asset management. Tracked as CVE-2021-44526, this flaw impacts the on-premises deployments of the product up to version 12002. “This vulnerability can allow an adversary to bypass authentication and access Templates’ field and form rules, Technician Auto Assign settings, the Asset Field’s Allowed Values, Translation and Change SLA configurations, the Assets associated to a user, and role details from Change Templates, as well as reorder the Service Catalog,” the company explained.Users are advised to upgrade to builds 11149, 11212 or 11311 or 12003, depending on the ServiceDesk Plus version they’re currently using. It’s also important to note that Professional and Enterprise ServiceDesk Plus deployments that use the Desktop Central agent for asset discovery are also impacted by the previously mentioned CVE-2021-44515 vulnerability.Past attacks have used IT management tools for MSPsOn December 2, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) together with the FBI issued an advisory about active attacks targeting an older ManageEngine ServiceDesk Plus vulnerability that was patched in September. Tracked as CVE-2021-44077, that flaw allows for unauthenticated remote code execution on affected systems.“The FBI and CISA assess that advanced persistent threat (APT) cyber actors are among those exploiting the vulnerability,” the agencies said. “Successful exploitation of the vulnerability allows an attacker to upload executable files and place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.”In September, CISA, the FBI and the United States Coast Guard Cyber Command (CGCYBER) issued a similar advisory to warn about attacks, also by APT actors, exploiting an authentication bypass vulnerability in a ManageEngine single sign-on solution called ADSelfService Plus.It’s clear that attackers are showing an interest in ManageEngine products, but the company’s tools are not the only IT management applications that have been targeted. In July, hackers exploited a vulnerability in a remote management tool called Kaseya VSA that’s used by many MSPs. The incident led to the compromise of hundreds of businesses worldwide and their infection with the REvil ransomware. In 2019, ransomware groups exploited an old vulnerability in the ConnectWise ManagedITSync integration, a utility designed to sync data between the ConnectWise Manage PSA and the Kaseya VSA RMM, to compromise MSPs. Related content feature 3 ways to fix old, unsafe code that lingers from open-source and legacy programs Code vulnerability is not only a risk of open-source code, with many legacy systems still in use — whether out of necessity or lack of visibility — the truth is that cybersecurity teams will inevitably need to address the problem. By Maria Korolov Nov 29, 2023 9 mins Security Practices Vulnerabilities Security news Amazon’s AWS Control Tower aims to help secure your data’s borders As digital compliance tasks and data sovereignty rules get ever more complicated, Amazon wants automation to help. By Jon Gold Nov 28, 2023 3 mins Regulation Cloud Security news North Korean hackers mix code from proven malware campaigns to avoid detection Threat actors are combining RustBucket loader with KandyKorn payload to effect an evasive and persistent RAT attack. By Shweta Sharma Nov 28, 2023 3 mins Malware feature How a digital design firm navigated its SOC 2 audit L+R's pursuit of SOC 2 certification was complicated by hardware inadequacies and its early adoption of AI, but a successful audit has provided security and business benefits. By Alex Levin Nov 28, 2023 11 mins Certifications Compliance Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe