New critical vulnerabilities in Zoho ManageEngine exploited by hackers

The cybersecurity unit of the Federal Bureau of Investigation (FBI) has launched an alert to notify organizations using ManageEngine Desktop Central, developed by Zoho, that a hacking group is exploiting a critical vulnerability in order to install malware on exposed systems.

ManageEngine is the enterprise IT management software division of Zoho, a leading company in the field of software as a service (SaaS). The flaw affects the Desktop Central software for both enterprise customers and the managed service provider (MSP) customer version, the report said.

In early December the company issued a patch for this flaw, described as an authentication evasion bug and tracked as CVE-2021-44515. Zoho added that addressing the fault was a priority because of the detection of some active exploitation attempts.

Although the company did not add further details about the incident, the FBI notes that cybercriminal groups have been exploiting this vulnerability for at least a couple of months: “Since late October, advanced persistent threat (APT) groups have been actively exploiting the zero-day vulnerability identified in ManageEngine Desktop Central servers,” the agency notes.

On the other hand, a Microsoft report attributes the attempts to exploit CVE-2021-44515 to a Chinese hacking group dedicated to the installation of web shells on affected servers in order to gain persistence in compromised systems. This group often exploits flaws in IT management products, employed by large organizations and end users.

Federal agents also claim that, after the initial compromise, attackers download post-exploit tools and list users and groups from the target domain to finally perform network recognition and download exposed credentials.

The researchers also identified at least two variants of web shells using the names “,” “eco-inflect.jar,” and “” Apparently, the web shell overrides the legitimate Desktop Central application protocol interface servlet enpoint, allowing system compromise.

The main recommendation is to apply the necessary updates, since so far no functional alternative solutions are known and the exploitation campaign is still active.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.