Hi there,
This security advisory addresses an unauthenticated remote code execution (RCE) vulnerability affecting ServiceDesk Plus versions up to 11305.
This vulnerability was addressed on September 16, 2021 in versions 11306 and above, and an advisory was published as well.
Please note that we are noticing exploits of this vulnerability, and we strongly urge all customers using ServiceDesk Plus (all editions) with versions 11305 and below to update to the latest version immediately.
This vulnerability does not affect ServiceDesk Plus Cloud versions.
Severity: Critical
Impact:
This vulnerability can allow an adversary to execute arbitrary code and carry out any subsequent attacks.
What led to the vulnerability?
A security misconfiguration in ServiceDesk Plus led to the vulnerability.
Who is affected?
This vulnerability affects ServiceDesk Plus (on-premises) customers of all editions using versions 11305 and below.
How have we fixed it?
The vulnerability has been addressed by properly configuring the security configuration and removing the unused URL in versions 11306 and above.
How to find out if you are affected
Click the Help link in the top-right corner of the ServiceDesk Plus web client, and select About from the drop-down to see your current version. If your current version (all editions) is 11305 and below, your installation is vulnerable.
Please follow this forum post for any further updates regarding this vulnerability.
What customers should do
Customers who fit the above criteria can upgrade to the latest version (12001) using the appropriate migration path.
Please read the upgrade instructions carefully before beginning the upgrade. For assistance, write to support@servicedeskplus.com or call us toll-free at +1.888.720.9500.
Important note: As always, make a copy of the entire ServiceDesk Plus installation folder before applying the upgrade, and keep the copy in a separate location. If anything goes wrong during the upgrade, you will have this copy as a backup, which will keep all your settings intact. If you're using an MS SQL server as a back-end database, back up the ServiceDesk Plus database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.
We offer our sincerest apologies for any inconvenience this may have caused. If you have any questions or concerns, please reach out to us at support@servicedeskplus.com.
Best,
The ServiceDesk Plus team