vulnerability
Zoho ManageEngine ServiceDesk Plus MSP: CVE-2021-44675: Authentication bypass and arbitrary code execution.
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:N/AC:L/Au:N/C:P/I:P/A:P) | Dec 5, 2021 | Jan 14, 2025 | Mar 25, 2026 |
Severity
7
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
Dec 5, 2021
Added
Jan 14, 2025
Modified
Mar 25, 2026
Description
One of the tomcat filter is not configured properly in ServiceDesk Plus MSP. This vulnerability allows the attackers to invoke any URLs without authentication.
Solution
zoho-manageengine-servicedesk-plus-msp-upgrade-latest
References
- CWE-287
- CVE-2021-44675
- https://attackerkb.com/topics/CVE-2021-44675
- https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-authentication-bypass-vulnerabilities-in-servicedesk-plus-msp-that-could-lead-to-remote-code-execution
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2021-31493
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.