Remote Access Plus Vulnerability in Zoho ManageEngine due to Hardcoded Credentials
CVE-2021-41828

7.5HIGH

Key Information:

Vendor: Zohocorp
Status: Manageengine Remote Access Plus
Vendor: CVE Published:; 30 September 2021

What is CVE-2021-41828?

The vulnerability in Zoho ManageEngine Remote Access Plus arises from hardcoded credentials associated with the resetPWD.xml file. This security flaw allows unauthorized access to sensitive functionalities, potentially exposing systems to various cyber threats. Remediation involves upgrading to the latest version, which mitigates this risk by removing these hardcoded credentials.

References

https://medium.com/nestedif/vulnerability-disclosure-hard...

x_refsource_MISC

https://www.manageengine.com/remote-desktop-management/ho...

x_refsource_MISC

EPSS Score

11% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 30, 2021
Vulnerability Reserved
Sep 30, 2021

Zohocorp

What is CVE-2021-41828?

References

EPSS Score

CVSS V3.1

Timeline