CVE-2021-44650

Vulnerability

A remote command execution vulnerability exists in Zoho ManageEngine M365 Manager Plus prior to Build 4419. The flaw resides in the Admin ProxySettings and Tenant ProxySettings components, where user-supplied input is not properly sanitized when updating proxy configuration. An attacker can inject arbitrary operating system commands that are executed with the privileges of the application server. Affected versions are all builds before 4419 [1].

Exploitation

Exploitation requires an authenticated user with administrative privileges to access the proxy settings interface. The attacker crafts a malicious proxy hostname or port value containing command injection payloads. When the administrator saves the proxy settings, the injected commands are executed on the underlying server. No additional user interaction is needed beyond the initial authentication [1].

Impact

Successful exploitation results in remote code execution on the M365 Manager Plus server. The attacker gains the same privileges as the application process, typically SYSTEM or a high-privileged service account. This can lead to full compromise of the server, including data exfiltration, lateral movement, and further attacks within the network [1].

Mitigation

The vulnerability is fixed in Build 4419, released by Zoho ManageEngine. Users should upgrade to Build 4419 or later immediately. No workarounds are documented. The product is not listed on the CISA KEV as of the publication date [1].