Vulnerability DatabaseCVE-2021-44526

CVE-2021-44526:
Zoho ManageEngine ServiceDesk Plus vulnerability analysis and mitigation

Overview

Zoho ManageEngine ServiceDesk Plus before version 12003 contains an authentication bypass vulnerability (CVE-2021-44526) that affects certain admin configurations. The vulnerability was disclosed in December 2021 (NVD, CVE).

Technical details

The vulnerability exists due to a flaw in the application filters used in the list view. Using a crafted URL, an attacker can access a servlet that should only be available to an authenticated user. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

Impact

A successful exploitation of this vulnerability could allow an unauthenticated attacker to bypass authentication mechanisms and gain unauthorized access to admin configurations. This could potentially lead to unauthorized access to sensitive information and system compromise (Tenable).

Mitigation and workarounds

Zoho has released patches to address this vulnerability. Organizations using ManageEngine ServiceDesk Plus should upgrade to version 12003 or later to mitigate this security issue. The fix includes additional checks to ensure the filters are properly configured to prevent authentication bypass (Vendor Advisory).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a customer? See how Wiz maps CVEs like this one to real cloud attack paths.

Watch 12-min demo

9.8

Score

Published December 23, 2021

Severity CRITICAL

CNA Score N/A

Affected Technologies

Zoho ManageEngine ServiceDesk Plus

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 90

Exploitation Probability (EPSS) 5.5

Affected packages and libraries

cpe:2.3:a:zohocorp:manageengine_servicedesk_plus

Sources

NVD
- Linux Severity CRITICALHas FixAdded at: Jan 06, 2022
- Windows Severity CRITICALHas FixAdded at: Jan 06, 2022

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related Zoho ManageEngine ServiceDesk Plus vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-8309	HIGH	8.1	Zoho ManageEngine ServiceDesk Plus	cpe:2.3:a:zohocorp:manageengine_servicedesk_plus	No	Yes	Aug 20, 2025
CVE-2024-41150	MEDIUM	6.1	Zoho ManageEngine ServiceDesk Plus	cpe:2.3:a:zohocorp:manageengine_servicedesk_plus	No	Yes	Aug 23, 2024
CVE-2024-50053	MEDIUM	5.4	Zoho ManageEngine ServiceDesk Plus	cpe:2.3:a:zohocorp:manageengine_servicedesk_plus	No	Yes	Mar 21, 2025
CVE-2024-38869	MEDIUM	5.4	Zoho ManageEngine ServiceDesk Plus	cpe:2.3:a:zohocorp:manageengine_servicedesk_plus	No	Yes	Aug 23, 2024
CVE-2024-27314	LOW	2.4	Zoho ManageEngine ServiceDesk Plus	cpe:2.3:a:zohocorp:manageengine_servicedesk_plus	No	Yes	May 27, 2024

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2021-44526: Zoho ManageEngine ServiceDesk Plus vulnerability analysis and mitigation