📄 Description (English)
Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability — Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution
🤖 AI Executive Summary
Zoho ManageEngine ServiceDesk Plus and related products contain a critical unauthenticated remote code execution vulnerability (CVSS 9.0) affecting versions before 11306. This vulnerability allows attackers to execute arbitrary code without authentication, posing an immediate threat to organizations using these IT service management platforms. Active exploits are publicly available, making this a high-priority threat requiring immediate patching across all affected deployments.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 21, 2026 11:18
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses severe risk to Saudi organizations across multiple critical sectors: Banking sector (SAMA-regulated institutions) using ServiceDesk Plus for IT operations management; Government agencies and entities under NCA oversight; Healthcare organizations managing IT infrastructure; Energy sector (ARAMCO and related entities); Telecommunications providers (STC, Mobily, Zain) managing customer support operations; and large enterprises using SupportCenter Plus for customer-facing support. The unauthenticated nature of the RCE makes it particularly dangerous as it can be exploited from the internet without valid credentials, potentially leading to complete system compromise, data exfiltration, and lateral movement within critical infrastructure.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Healthcare and Medical Services
Energy and Utilities
Telecommunications
Large Enterprises
IT Service Providers
🎯 MITRE ATT&CK Techniques
T1190 - Exploit Public-Facing Application
T1133 - External Remote Services
T1059 - Command and Scripting Interpreter
T1086 - PowerShell
T1053 - Scheduled Task/Job
T1543 - Create or Modify System Process
T1547 - Boot or Logon Autostart Execution
T1041 - Exfiltration Over C2 Channel
T1021 - Remote Services
⚖️ Saudi Risk Score (AI)
9.5
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all instances of Zoho ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP, and SupportCenter Plus in your environment
2. Immediately isolate affected systems from internet-facing access or restrict network access to trusted sources only
3. Enable enhanced logging and monitoring on all affected systems
4. Review access logs for indicators of exploitation (unusual HTTP requests, POST requests to suspicious endpoints)
PATCHING GUIDANCE:
1. Upgrade ServiceDesk Plus to version 11306 or later immediately
2. Upgrade ServiceDesk Plus MSP to version 10530 or later
3. Upgrade SupportCenter Plus to version 11014 or later
4. Test patches in non-production environment first, then deploy to production with minimal delay
5. Verify patch installation by checking version numbers post-deployment
COMPENSATING CONTROLS (if patching delayed):
1. Implement Web Application Firewall (WAF) rules to block exploitation attempts
2. Restrict network access to ServiceDesk Plus to authorized IP ranges only
3. Disable internet-facing access and require VPN for all remote access
4. Implement rate limiting on authentication endpoints
5. Deploy intrusion detection signatures for CVE-2021-44077 exploitation patterns
DETECTION RULES:
1. Monitor for POST requests to /api/ endpoints without proper authentication headers
2. Alert on execution of system commands from ServiceDesk Plus process
3. Monitor for unexpected child processes spawned by ServiceDesk Plus Java process
4. Track file modifications in ServiceDesk Plus installation directory
5. Monitor outbound connections from ServiceDesk Plus to external IP addresses
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع نسخ Zoho ManageEngine ServiceDesk Plus و ServiceDesk Plus MSP و SupportCenter Plus في بيئتك
2. عزل الأنظمة المتأثرة فوراً عن الوصول المواجه للإنترنت أو تقييد الوصول الشبكي للمصادر الموثوقة فقط
3. تفعيل السجلات والمراقبة المحسّنة على جميع الأنظمة المتأثرة
4. مراجعة سجلات الوصول للبحث عن مؤشرات الاستغلال (طلبات HTTP غير عادية، طلبات POST إلى نقاط نهاية مريبة)
إرشادات التصحيح:
1. ترقية ServiceDesk Plus إلى الإصدار 11306 أو أحدث فوراً
2. ترقية ServiceDesk Plus MSP إلى الإصدار 10530 أو أحدث
3. ترقية SupportCenter Plus إلى الإصدار 11014 أو أحدث
4. اختبار التصحيحات في بيئة غير الإنتاج أولاً، ثم النشر في الإنتاج بأقل تأخير
5. التحقق من تثبيت التصحيح بفحص أرقام الإصدارات بعد النشر
الضوابط البديلة (إذا تأخر التصحيح):
1. تطبيق قواعد جدار حماية تطبيقات الويب (WAF) لحجب محاولات الاستغلال
2. تقييد الوصول الشبكي إلى ServiceDesk Plus للنطاقات المصرح بها فقط
3. تعطيل الوصول المواجه للإنترنت والمطالبة بـ VPN لجميع الوصول البعيد
4. تطبيق تحديد معدل على نقاط نهاية المصادقة
5. نشر توقيعات كشف الاختراق لأنماط استغلال CVE-2021-44077
قواعد الكشف:
1. مراقبة طلبات POST إلى نقاط نهاية /api/ بدون رؤوس مصادقة مناسبة
2. التنبيه على تنفيذ أوامر النظام من عملية ServiceDesk Plus
3. مراقبة العمليات الفرعية غير المتوقعة التي تم إنشاؤها بواسطة عملية Java في ServiceDesk Plus
4. تتبع تعديلات الملفات في دليل تثبيت ServiceDesk Plus
5. مراقبة الاتصالات الصادرة من ServiceDesk Plus إلى عناوين IP خارجية
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information Security Policies and Procedures
A.6.1.1 - Organization of Information Security
A.8.1.1 - User Access Management
A.12.2.1 - Restrictions on Software Installation
A.12.6.1 - Management of Technical Vulnerabilities
A.13.1.1 - Network Security Perimeter
A.14.2.1 - System Development and Maintenance
🔵 SAMA CSF
Governance - Risk Management Framework
Governance - Third-party Risk Management
Protect - Access Control
Protect - Data Protection
Detect - Monitoring and Logging
Respond - Incident Response
🟡 ISO 27001:2022
5.1 - Policies for Information Security
6.1 - Information Security Roles and Responsibilities
8.1 - User Registration and Access Rights
8.2 - User Access Provisioning
8.3 - Access Rights Review
12.2 - Restrictions on Software Installation
12.6 - Management of Technical Vulnerabilities
13.1 - Network Security Perimeter
🟣 PCI DSS v4.0
Requirement 1 - Install and maintain a firewall configuration
Requirement 2 - Do not use vendor-supplied defaults
Requirement 6 - Develop and maintain secure systems and applications
Requirement 11 - Regularly test security systems and processes
🔗 References & Sources 0
No references.
📦 Affected Products / CPE 1 entries
Zoho:ManageEngine ServiceDesk Plus (SDP) / SupportCenter Plus