This is a security advisory regarding an authentication bypass vulnerability (CVE-2021-44757) in ManageEngine Desktop Central, reported by an external security researcher via our bug bounty program.
Who is affected?
This vulnerability affects customers of ServiceDesk Plus MSP (Professional and Enterprise editions) who have installed Desktop Central to leverage the unified agent for asset inventory.
Affected build numbers of Desktop Central:
Desktop Central installations with the following build numbers are affected:
10.1.2137.8 and below.
What was the problem?
An authentication bypass vulnerability in Desktop Central was identified which, when exploited, can allow an attacker to read unauthorized data or write an arbitrary ZIP file in the Desktop Central server.
How have we fixed the vulnerability?
This vulnerability was fixed on January 17, 2022, and the mitigation is available in build 10.1.2137.9. To apply this fix, follow the steps below:
Log in to your Desktop Central console, then click your current build number in the top-right corner.
You'll be able to find the latest build applicable to you. Download the PPM and update Desktop Central.
Note: If you fall in the build range 10.1.2140.X to 10.1.2149.X, please contact our support team at firstname.lastname@example.org for the fix.
Important note: As always, make a copy of the entire Desktop Central installation folder before applying the upgrade, and keep the copy in a separate location. If anything goes wrong during the upgrade, you'll have this copy as a backup, which will keep all your settings intact. If you're using an MS SQL server as a back-end database, back up the Desktop Central database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.
We offer our sincerest apologies for any inconvenience this may have caused. If you have any questions or concerns, please reach out to us at email@example.com.