An authentication bypass vulnerability was recently identified and patched in Zoho Desktop Central and Desktop Central MSP.
CVE-2021-44757: Authentication Bypass Vulnerability in Zoho Desktop Central
Known as CVE-2021-44757, the flaw has now been addressed and released in the company’s latest build on January 17, 2022, according to the official notification.
In case of a successful exploitation, the vulnerability could enable attackers to read unauthorized data or write an arbitrary ZIP file on the server.
In terms of mitigation, customers are advised to get hold of the latest versions of Desktop Central and Desktop Central MSP. If you are affected by the CVE-2021-44757 vulnerability, you should refer to Desktop Central and Desktop Central MSP for more details.
Other recently addressed vulnerabilities in Zoho products include the following critical issues:
- CVE-2021-40539 – Authentication bypass issue in Zoho ManageEngine ADSelfService Plus;
- CVE-2021-44077 – Unauthenticated RCE vulnerability that impacts Zoho ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP, and SupportCenter Plus;
- CVE-2021-44515 – Authentication bypass flaw in Zoho ManageEngine Desktop Central.
Applying the available patches is highly recommended, as these three vulnerabilities have been exploited in active attacks. To avoid attacks based on the most recent CVE-2021-44757 flaw, follow the recommended mitigations.