An unauthenticated remote code execution (RCE) vulnerability (CVE-2021-44077) was identified in ManageEngine ServiceDesk Plus MSP. This vulnerability affects ServiceDesk Plus MSP customers of all editions using versions 10529 and below. We rate this vulnerability as critical and have noticed active exploitation of this vulnerability by cyberthreat actors. We strongly urge customers to upgrade to ServiceDesk Plus MSP versions 10530 and above.
Please note that this vulnerability is not new but was already identified and addressed on September 16, 2021 in versions 10530 and above, and an advisory was published as well.
Read the advisory →Use the exploit detection tool to run a quick scan and discover any compromises in your installation. The tool checks for the presence of any indicators of compromise associated with the CVE-2021-44077 vulnerability and notifies you if your system is infected.
Download the tool & check if you are compromised →ManageEngine\ServiceDeskPlus-MSP\logs
\ManageEngine\ServiceDeskPlus-MSPs\webapps\ROOT\WEB-INF
\ManageEngine\ServiceDeskPlus-MSP\bin.
The scan tool checks for malicious files and entries in logs. At any given time, ServiceDesk Plus MSP maintains only 50 log files and so your server compromise may not be detectable in the log files.
So, as a precautionary measure, please move your installation to a new server by following the procedure below.
Follow the steps below to move your ServiceDesk Plus MSP installation to a new server.
pg_dump -U {user-name} -h {server} -p {port) servicedesk > {dumpfilename.sql}
Note: A backup will be created with the file name "dumpfilename.sql". Take a copy of this file to restore ServiceDesk Plus MSP data.
Prerequisites for creating a backup:
\ManageEngine\ServiceDeskPlus-MSP\fileAttachments
\ManageEngine\ServiceDeskPlus-MSP\inlineimages
\ManageEngine\ServiceDeskPlus-MSP\LuceneIndex
\ManageEngine\ServiceDeskPlus-MSP\conf
\ManageEngine\ServiceDeskPlus-MSP\custom
\ManageEngine\ServiceDeskPlus-MSP\app_relationships
\ManageEngine\ServiceDeskPlus-MSP\integration
\ManageEngine\ServiceDeskPlus-MSP\archive
\ManageEngine\ServiceDeskPlus-MSP\zreports
\ManageEngine\ServiceDeskPlus-MSP\lib\AdventNetLicense.xml
\ManageEngine\ServiceDeskPlus-MSP\ZIA\dataset
\ManageEngine\ServiceDeskPlus-MSP\ImportResults
stopdb.bat 65432
Please feel free to contact our support team.
Write us to
support@servicedeskplusmsp.com
Call us toll-free at
+1.888.720.9500.
This is an unauthenticated RCE vulnerability that was identified in ServiceDesk Plus MSP. It can allow an adversary to execute arbitrary code and carry out any subsequent attacks.
This vulnerability affects versions 10529 and below in ServiceDesk Plus MSP (all editions).
Click the Help link in the top-right corner of the ServiceDesk Plus MSP web client, and select About from the drop-down to see your current version. If your current version (all editions) is 10529 and below, you might be affected.
You can also run the exploit detection tool above to verify if your installation has been compromised.
\ManageEngine\ServiceDeskPlus-MSP\logs
\ManageEngine\ServiceDeskPlus-MSP\webapps\ROOT\WEB-INF
\ManageEngine\ServiceDeskPlus-MSP\bin.
The scan tool checks for malicious files and entries in logs. At any given time, ServiceDesk Plus MSP maintains only 50 log files and so your server compromise may not be detectable in the log files.
Further, please follow the steps mentioned above, to move your ServiceDesk Plus MSP installation to the new server.
You can upgrade to the latest version (10532) using the appropriate migration path.
Click the Help link in the top-right corner of the ServiceDesk Plus MSP web client, and select About from the drop-down to see your current version. If your current version (all editions) is 10529 and below, you might be affected.
The vulnerability has been addressed by fixing the security configuration process in ServiceDesk Plus MSP versions 10530 and above. You can upgrade to the latest version (10532) using the appropriate migration path.
We've put together this dedicated webpage to keep you up-to-date on the latest updates from our side, the technicalities of the vulnerability, our incident response plan, and recommended actions.