CVE-2022-40770: 
Zoho ManageEngine ServiceDesk Plus vulnerability analysis and mitigation

Zoho ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP, and SupportCenter Plus were found to contain a remote command execution (RCE) vulnerability, identified as CVE-2022-40770. The vulnerability was discovered in the input fields used for configuring Analytics Plus integration. The issue affects ServiceDesk Plus versions 13010 and prior, ServiceDesk Plus MSP versions 10610 and below, and SupportCenter Plus versions 11025 and below. The vulnerability was reported by Piotr Bazydlo of Trend Micro's Zero Day Initiative and was officially fixed in September-October 2022 (ManageEngine Advisory).

The vulnerability is classified as an authenticated command injection flaw that can be exploited by users with administrative privileges. The CVSS v3.1 score for this vulnerability indicates high severity with a vector string of AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, and it is associated with CWE-77 (Command Injection) (NVD).

The vulnerability enables threat actors with administrative access to execute arbitrary commands through the Analytics Plus integration configuration fields. This could potentially lead to subsequent attacks and compromise of the affected systems (ManageEngine Advisory).

Zoho has released fixed versions for all affected products: ServiceDesk Plus version 13011 (released September 27, 2022), ServiceDesk Plus MSP version 13000 (released October 13, 2022), and SupportCenter Plus version 11026 (released October 28, 2022). Users are advised to upgrade to these versions through the official upgrade packs available on the ManageEngine website (ManageEngine Advisory).