Zoho warns of new zero-day vulnerability exploited in attacks

Zoho urged customers on Friday to update their ManageEngine servers and apply a software fix that patches a zero-day vulnerability that is currently being exploited in the wild.

Tracked as CVE-2021-44515, the vulnerability impacts Zoho ManageEngine Desktop Central, an endpoint management solution that companies use to manage their workers’ devices.

In a security advisory, the company said it patched a bug that would have allowed attackers to bypass authentication and run malicious code on Desktop Central servers.

“As we are noticing indications of exploitation of this vulnerability, we strongly advise customers to update their installations to the latest build as soon as possible,” the company told customers.

The company did not share any details about the threat actor(s) exploiting this bug, but the advisory comes after state-backed groups have already exploited two other vulnerabilities in ADSelfService Plus (CVE-2021-40539) and ServiceDesk Plus (CVE-2021-44077) software packages to compromise its customers’ networks already.

Attacks against the first began as early as August, according to CrowdStrikeCISA, and Palo Alto Networks, and attacks against the second bug began in November, according to Palo Alto Networks and CISA.

Image: Palo Alto Networks

According to Palo Alto Networks, the targets of these previous attacks included several organizations in the US defense sector. It is believed that the purpose of these attacks is cyber-espionage and data theft.

While it is currently unconfirmed that the same nation-state groups are behind the exploitation of this third vulnerability, companies should exercise caution and update their Zoho servers as soon as possible.

There are currently approximately 3,100 Zoho ManageEngine Desktop Central servers connected to the internet, ripe for exploitation.

While previously Zoho released some steps to discover if a server has been hacked, there are no such instructions or steps at the time of writing, meaning Zoho customers will also most likely have to initiate incident response procedures right after they patch and inspect servers for the presence of any suspicious files. They can start by looking for the webshells detailed in the two Palo Alto Network and CISA alerts first.

Catalin Cimpanu

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.

Recent Posts

Conti ransomware hits Apple, Tesla supplier

The Conti ransomware gang has been linked to an attack on Delta Electronics, a Taiwanese…

42 mins ago

Biden administration launches initiative to protect U.S. water systems from cyberattacks

The Biden administration on Thursday will kick off an effort to protect the country’s water…

1 hour ago

DeepDotWeb co-admin sentenced to 8 years in prison

One of the two administrators of the DeepDotWeb portal was sentenced this week to 97…

4 hours ago

Ukrainian government calls out false flag operation in recent data wiping attack

The Ukrainian government said today that it found evidence meant to connect the data wiping…

17 hours ago

Meta’s free mode came with a cost, report says

Meta Connectivity (previously Facebook Connectivity) is facing scrutiny after reports emerged that their Free Basics…

20 hours ago

White House releases final zero-trust strategy for federal government

The White House on Wednesday issued finalized plans for its strategy to move the federal…

23 hours ago