An authentication bypass vulnerability identified and fixed in Desktop Central and Desktop Central MSP
Hello!
This notification is in regard to an authentication bypass vulnerability that was recently identified in Desktop Central. This applies to Desktop Central MSP as well. Registered as CVE-2021-44515, this vulnerability has now been fixed and released in our latest build on 3rd December 2021.
What is the issue?
An authentication bypass vulnerability in ManageEngine Desktop Central that could result in remote code execution.
What is the impact of the issue?
If exploited, the attackers can gain unauthorized access to the product by sending a specially crafted request leading to remote code execution.
What is the severity of the issue?
We consider the severity of this vulnerability to be critical.
Is this issue applicable to you? How to identify and mitigate it?
We have talked about this in detail in the following documents: KB for Desktop Central and KB for Desktop Central MSP. To verify if this vulnerability applies to your set-up and to remediate it, please follow the steps mentioned there.
Note: As we are noticing indications of exploitation of this vulnerability, we strongly advise customers to update their installations to the latest build as soon as possible.
Additional Recommendation:
Please follow the security hardening guidelines to ensure all the security controls and protections are configured to keep your Desktop Central environment secure.
Rest assured that we continuously strive to take appropriate security measures and adapt to relevant security controls in our products. If you need any further assistance, our support team is always ready to help. Please reach out to us at desktopcentral-security@manageengine.com for Desktop Central and msp-desktopcentral-support@manageengine.com for Desktop Central MSP.
Cheers,
Team Desktop Central.