Unauthenticated RCE vulnerability

About the vulnerability

An unauthenticated remote code execution (RCE) vulnerability (CVE-2021-44077) was identified in ManageEngine ServiceDesk Plus MSP. This vulnerability affects ServiceDesk Plus MSP customers of all editions using versions 10529 and below. We rate this vulnerability as critical and have noticed active exploitation of this vulnerability by cyberthreat actors. We strongly urge customers to upgrade to ServiceDesk Plus MSP versions 10530 and above.

Please note that this vulnerability is not new but was already identified and addressed on September 16, 2021 in versions 10530 and above, and an advisory was published as well.
Read the advisory →

Exploit detection tool

Use the exploit detection tool to run a quick scan and discover any compromises in your installation. The tool checks for the presence of any indicators of compromise associated with the CVE-2021-44077 vulnerability and notifies you if your system is infected.

Download the tool & check if you are compromised →

How to use the exploit detection tool

Start > Run and type "services.msc" and hit Enter or press OK.
Locate and stop the "ManageEngine ServiceDesk Plus - MSP" service.
Download the exploit detection tool (Zip file).
Open the Zip file and go to the FindVulnerableFile_MSP folder and then extract the FindVulnerableFile folder to \ManageEngine\ServiceDeskPlus-MSP
Go to the extracted folder: \ManageEngine\ServiceDeskPlus-MSP\FindVulnerableFile.
Right-click the RCEScan.bat file and choose Run as Administrator. A command window will open and the scan will be initiated. If your server is affected, you will get one of the following messages:

"Your server has been compromised by an Unauthenticated RCE attack. Isolate the ServiceDesk Plus MSP server from the network immediately and contact ServiceDesk Plus MSP support support@servicedeskplusmsp.com for more assistance."

"Unknown and/or modified files have been detected in your server. Please send the vulnerablefiles.txt from ManageEngine/ServiceDesk-MSP/FindVulnerableFile to "support@servicedeskplusmsp.com" and mention the subject as "CVE-2021-44077" so that we can check if your server has been compromised."

If your server is affected, send us the following folders for further analysis:

ManageEngine\ServiceDeskPlus-MSP\logs

\ManageEngine\ServiceDeskPlus-MSPs\webapps\ROOT\WEB-INF

\ManageEngine\ServiceDeskPlus-MSP\bin.

The scan tool checks for malicious files and entries in logs. At any given time, ServiceDesk Plus MSP maintains only 50 log files and so your server compromise may not be detectable in the log files.

On the other hand, if you have already migrated to ServiceDesk Plus MSP 10530 or later, your ServiceDesk Plus MSP installation is secure and no longer vulnerable to any new attacks. However, the system could have been compromised before the upgrade. As for fresh installations of ServiceDesk Plus MSP starting from build 10530 or later, they are secure and will not be impacted by this vulnerability.

So, as a precautionary measure, please move your installation to a new server by following the procedure below.

Steps to move your ServiceDesk Plus MSP installation to a new server

Follow the steps below to move your ServiceDesk Plus MSP installation to a new server.

Step 1 : Disconnect your server from the network.
Step 2 : Back up ServiceDesk Plus MSP data:
- Environments using PosgreSQL database:
  - Open command prompt.
  - Navigate to \ManageEngine\ServiceDeskPlus-MSP\pgsql\bin
  - Execute the following command:
  Note: A backup will be created with the file name "dumpfilename.sql". Take a copy of this file to restore ServiceDesk Plus MSP data.
- Environments using Microsoft SQL Server database: Disconnect the Microsoft SQL Server.
Step 3 : Back up the files under the following directories:
Prerequisites for creating a backup:
- Make sure that there are no executable files in the directories listed below. The typical format for names of executable files are *.exe, *.jsp, *.bat, *.sh, etc. If you find unrecognizable executable files in any of the directories, contact support for further assistance.
- Make sure to scan the directories listed below for the presence of malicious files or programs using an antivirus software. If malicious files or programs are found, skip those files while creating the backup.
- Go to \ManageEngine\ServiceDeskPlus-MSP\conf, open product-config.xml, and find the entry " <configuration name="user.password.encrypt" value="true"/> ". If the entry is not found or if the value is set to "false", you need to reset the login password for all users after restoration.
\ManageEngine\ServiceDeskPlus-MSP\fileAttachments
\ManageEngine\ServiceDeskPlus-MSP\inlineimages
\ManageEngine\ServiceDeskPlus-MSP\LuceneIndex
\ManageEngine\ServiceDeskPlus-MSP\conf
\ManageEngine\ServiceDeskPlus-MSP\custom
\ManageEngine\ServiceDeskPlus-MSP\app_relationships
\ManageEngine\ServiceDeskPlus-MSP\integration
\ManageEngine\ServiceDeskPlus-MSP\archive
\ManageEngine\ServiceDeskPlus-MSP\zreports
\ManageEngine\ServiceDeskPlus-MSP\lib\AdventNetLicense.xml
\ManageEngine\ServiceDeskPlus-MSP\ZIA\dataset
\ManageEngine\ServiceDeskPlus-MSP\ImportResults
Step 4 : Set up a new server to install ServiceDesk Plus MSP afresh.
Step 5 : Download and install the same version of ServiceDesk Plus-MSP on the new server.
Step 6 : Restore data (if you were using the built-in PostgreSQL database) by using the backup file created or connect to the database (if you were using Microsoft SQL Server database). To restore data in PostgreSQL setups, follow these steps:
- Copy the backup file "dumpfilename.sql" to \ManageEngine\ServiceDeskPlus-MSP\pgsql\bin
- Open command prompt
- Navigate to \ManageEngine\ServiceDeskPlus-MSP\bin
- Execute the following command :
  startDB.bat 65432
- Navigate to \ManageEngine\ServiceDeskPlus-MSP\pgsql\bin
- Execute the following commands:
  psql.exe -h {server} -p {port} -U {user-name} -d servicedesk
  query \c postgres
  drop database servicedesk;
  create database servicedesk;
  \q or quit.
  psql.exe -U {user-name} -h {server} -p {port} -d servicedesk -f {dumpfilename.sql}
- Navigate to \ManageEngine\ServiceDeskPlus-MSP\bin
- Execute the following command:
  stopdb.bat 65432
Step 7 : Restore the backed up files (obtained in Step 3) to their respective directories.
Step 8 : Upgrade ServiceDesk Plus MSP to the latest version. See: Migration Sequence.

For any assistance regarding the vulnerability

Please feel free to contact our support team.

Write us to
support@servicedeskplusmsp.com

Call us toll-free at
+1.888.720.9500.

Frequently asked questions

Expand All

This is an unauthenticated RCE vulnerability that was identified in ServiceDesk Plus MSP. It can allow an adversary to execute arbitrary code and carry out any subsequent attacks.

This vulnerability affects versions 10529 and below in ServiceDesk Plus MSP (all editions).

Click the Help link in the top-right corner of the ServiceDesk Plus MSP web client, and select About from the drop-down to see your current version. If your current version (all editions) is 10529 and below, you might be affected.

You can also run the exploit detection tool above to verify if your installation has been compromised.

If your server is affected, send us the following folders for further analysis:

\ManageEngine\ServiceDeskPlus-MSP\logs

\ManageEngine\ServiceDeskPlus-MSP\webapps\ROOT\WEB-INF

\ManageEngine\ServiceDeskPlus-MSP\bin.

The scan tool checks for malicious files and entries in logs. At any given time, ServiceDesk Plus MSP maintains only 50 log files and so your server compromise may not be detectable in the log files.

Further, please follow the steps mentioned above, to move your ServiceDesk Plus MSP installation to the new server.

You can upgrade to the latest version (10532) using the appropriate migration path.

Click the Help link in the top-right corner of the ServiceDesk Plus MSP web client, and select About from the drop-down to see your current version. If your current version (all editions) is 10529 and below, you might be affected.

The vulnerability has been addressed by fixing the security configuration process in ServiceDesk Plus MSP versions 10530 and above. You can upgrade to the latest version (10532) using the appropriate migration path.

We've put together this dedicated webpage to keep you up-to-date on the latest updates from our side, the technicalities of the vulnerability, our incident response plan, and recommended actions.

Security response plan for unauthenticated RCE vulnerability (CVE-2021-44077)