CVE-2021-37414: 
Zoho ManageEngine Desktop Central Server vulnerability analysis and mitigation

Zoho ManageEngine DesktopCentral before version 10.0.709 contained a critical authentication vulnerability that allowed unauthorized users to obtain a valid user's APIKEY without requiring authentication. The vulnerability was discovered and disclosed in July 2021 (Vendor Advisory).

The vulnerability stemmed from an endpoint with insufficient access control in the server, which when exploited, could potentially lead to gaining unauthorized access to the Endpoint Central instance. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility, low attack complexity, and no required privileges or user interaction (NVD).

The vulnerability allowed attackers to obtain valid user APIKEYs without authentication, potentially leading to unauthorized access to the Endpoint Central instance. This could result in exposure of sensitive information and potential system compromise (Vendor Advisory).

The vulnerability was patched in DesktopCentral build 10.0.709 released on July 23, 2021. Users are strongly advised to upgrade to this version or later. The vulnerability does not affect cloud editions of Endpoint Central, Patch Manager Plus and Remote Access Plus (Vendor Advisory).