Multiple Critical Flaws Found in Zoho’s ManageEngine (IT help desk software)

[LASER_oneXM]

Researchers have found multiple critical flaws in the IT help desk software ManageEngine, made by Zoho Corp. In all, seven vulnerabilities were discovered, each allowing an attacker to ultimately take control of host servers running Zoho’s SaaS suite of applications.

According to researchers at Digital Defense that found the flaws, each of the bugs are application layer vulnerabilities, which reside in the web-rpc services of the affected software suites. Researchers there published a blog on Wednesday outlining their findings.

Digital Defense’s Vulnerability Research Team said vulnerabilities included unauthenticated file upload, blind SQL injection, authenticated remote code execution and user enumeration flaws. Each of them, according to researchers, can potentially reveal sensitive information or can lead to a full compromise of the application.

“They are all bad and critical flaws,” Cotton said. “But the Service Plus (vulnerability) is one companies are going to want to watch out for. We have seen a lot of instances of companies making these interfaces available externally on the internet.”


He added, those types of configuration scenarios give attackers a very “direct non-firewall attack path to gain a foothold on key infrastructure right away.”