CVE-2021-31159

Vulnerability

Zoho ManageEngine ServiceDesk Plus MSP before build 10519 is vulnerable to a user enumeration bug in the Forgot Password functionality. The application returns different error messages depending on whether the provided username exists in the system. This improper error-message generation allows an attacker to determine valid user accounts. The issue is tracked as SDPMSP-15732 [1].

Exploitation

An attacker with network access to the Forgot Password page can exploit this vulnerability without authentication. By submitting password reset requests for a list of usernames, the attacker observes the response: if the user exists, the server returns a message indicating an email has been sent; if the user does not exist, a different message is returned. This behavior can be automated to enumerate accounts, including Active Directory users if AD authentication is enabled [4].

Impact

Successful exploitation allows an attacker to enumerate valid user accounts, including Active Directory users, which can be used to perform targeted attacks such as password spraying or social engineering. The vulnerability does not directly lead to privilege escalation or data disclosure, but it significantly reduces the attacker's reconnaissance effort.

Mitigation

The vulnerability is fixed in build 10519 of Zoho ManageEngine ServiceDesk Plus MSP [1]. Users should upgrade to this version or later. No workarounds are documented. The CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.