ManageEngine is one of the most widely deployed ITSM/ITOM suites in the world, which also makes it a target for attackers. Several high-profile CVEs surfaced in 2022-2024. As a ManageEngine implementation partner (3PRO Gold Partner via MWT Solutions) we prefer transparency. This article is a practical FAQ for administrators who want to understand the risk and defend effectively.
1. Context: why ManageEngine CVEs hit the headlines
ManageEngine is part of Zoho Corp. and according to the vendor is used by over 280 thousand organizations across roughly 190 countries. That scale makes it a natural target for attackers looking for high-value targets in the enterprise IT ecosystem.
Attack surface and the CVE reality
Most historical ManageEngine CVEs are server-side vulnerabilities:
- RCE (Remote Code Execution): ability to run code on the server
- Authentication bypass: bypassing login or privilege escalation
- SQL injection: access to the database
- Information disclosure: leak of configuration or user data
These are serious vulnerabilities, but an important fact: for every CVE listed below the vendor released a fix. After publication, the key thing is to install the update as fast as possible.
For comparison: other enterprise platforms
Other popular ITSM/IT management platforms have had critical CVEs too:
- ServiceNow: CVE-2024-4879 (CVSS 9.3), access security
- Jira Service Management: CVE-2023-22515 (CVSS 10.0), critical RCE
- Atlassian Confluence: CVE-2023-22527 (CVSS 10.0), RCE
Conclusion: no enterprise software is free of CVEs. What matters is the vendor's response time and your ability to deploy patches.
NIS2 compliance audit - find out where you stand.
ManageEngine security analysis for your company - 30 minutes online.
2. How does ManageEngine (Zoho Corp.) respond to CVEs?
Security management process
Zoho Corp. runs a dedicated PSIRT (Product Security Incident Response Team), which:
- Receives vulnerability reports from security researchers and customers
- Verifies the vulnerability and determines impact
- Develops and tests a fix
- Releases a patch for every affected product version
- Publishes a Security Advisory at manageengine.com/security/
Severity-based prioritization
The table below is an indicative classification useful for prioritization - it is not an official vendor SLA. Actual patch release time depends on the specific vulnerability; current information is in the Security Advisory for each CVE.
| Severity (CVSS) | Description | Indicative response priority |
|---|---|---|
| CRITICAL (9.0-10.0) | RCE, complete compromise | Highest - patch or workaround urgently |
| HIGH (7.0-8.9) | Auth bypass, significant impact | High - patch in the next maintenance window |
| MEDIUM (4.0-6.9) | Information disclosure, limited impact | Medium - schedule a patch in the update cycle |
Communication and transparency
ManageEngine publishes every CVE as a Security Advisory on its dedicated page: manageengine.com/security/. Each advisory includes:
- CVE ID and CVSS score
- Affected product versions
- Patch download link
- Installation instructions
- Sometimes a workaround for customers waiting on the patch
3. High-profile ManageEngine CVEs: what happened?
Below we cover 5 significant CVEs from 2021-2022. These are verified historical facts shared to build awareness; all of them were and are patched. We recommend verifying each CVE at nvd.nist.gov.
| CVE ID | Year | Product | Type | CVSS | Status |
|---|---|---|---|---|---|
| CVE-2022-47966 | 2022/2023 | ServiceDesk Plus, ADSelfService Plus (and others) | RCE (SAML) | 9.8 | PATCHED |
| CVE-2022-35405 | 2022 | Password Manager Pro, PAM360, Access Manager Plus | RCE | 9.8 | PATCHED |
| CVE-2021-40539 | 2021 | ADSelfService Plus | RCE (REST API) | 9.8 | PATCHED |
| CVE-2021-44515 | 2021 | Desktop Central (Endpoint Central) | Auth bypass | 9.8 | PATCHED |
| CVE-2023-6105 | 2023 | Multiple ManageEngine products (ADAuditPlus, ADManager Plus, ServiceDesk Plus and others) | Information disclosure (plaintext passwords) | 5.5 | PATCHED |
What does this mean in practice? If your ManageEngine instance is up to date (on the latest current version) you are safe. Problems only show up when:
- You ignore updates for months
- You run an End-of-Life (EOL) version
- You do not monitor Security Advisories
4. How to check whether your installation is vulnerable
Step 1: Identify the version
Open the administrative portal of ManageEngine ServiceDesk Plus (or another product) and go to:
- Admin Console → About
- Note the build number (e.g. 5019 for SDP 14.0)
Step 2: Check Security Advisories
Go to: manageengine.com/security/
Search for your product and compare the build numbers against the list of vulnerable versions. If your version is listed, read the patch instructions.
Step 3: Automate scanning
ManageEngine offers a vulnerability self-scan tool:
- ManageEngine Vulnerability Manager Plus: scans all ME products on your network (automated patch management is also handled by Endpoint Central - patch management and inventory)
- Available in Cloud and On-Premise
- Integrates with other products (Endpoint Central, OpManager)
Step 4: Subscribe to notifications
Go to manageengine.com/security/ and sign up for email notifications. That way you find out about new CVEs immediately.
5. Hardening ManageEngine ServiceDesk Plus: checklist
Below is a 10-point checklist for hardening your ManageEngine instance. These are industry best practices for both ManageEngine and any ITSM system.
6. Security monitoring of ManageEngine: what to log?
To detect potential attacks, monitor the right log categories from ManageEngine.
Key log categories to collect
- Authentication events: login, logout, failed login attempts (10+ in 1 min = alert)
- Admin actions: user creation, permission changes, data deletion
- API access: API requests, API key creation, token permission changes
- Data export events: mass exports of requests, tickets, contacts (>1000 records = alert)
- Database changes: changes to configuration, workflow, custom fields
SIEM integration (Security Information and Event Management)
If you run a SIEM (Splunk, Elastic, QRadar, Sumo Logic), you can integrate SDP logs:
- ManageEngine Log360: natively reads and analyzes ManageEngine logs
- Syslog output: SDP sends logs in Syslog format to your SIEM
- Webhook alerts: SDP can send alerts to Slack, Microsoft Teams, email
Example alert rules
Set these alerts in your SIEM or in ManageEngine:
- Alert: 10+ failed logins from the same IP within 1 minute → block IP for 30 min
- Alert: New API application registered (if you did not authorize it) → manual review
- Alert: Export of >1000 tickets / changes within an hour → email to administrator
- Alert: User permission change from User → Admin → immediate notification
7. CVE response plan: what to do when a new one drops?
When a new CVE is published for your ManageEngine product, you have limited time to act. Here is the procedure:
Response process (SLA)
| CVSS Score | Severity | Patch SLA | Action |
|---|---|---|---|
| 9.0-10.0 | CRITICAL | 24 hours | Deploy the patch in a maintenance window OR cut access to the instance |
| 7.0-8.9 | HIGH | 48 hours | Deploy the patch within 48h, or apply a workaround if available |
| 4.0-6.9 | MEDIUM | 2 weeks | Schedule the patch for the next maintenance window |
Step-by-step procedure
- You receive a CVE notification (email from manageengine.com/security/ or your SIEM)
- Read the Security Advisory: check CVE ID, CVSS score, affected versions and patch link
- Check whether your version is vulnerable: compare your instance build number with the advisory list
- Assess risk: is SDP on the internet? Are you on a vulnerable version? CVSS > 7.0 = high risk
- Plan a maintenance window: download the patch, test in a staging environment (if available), schedule deployment
- Deploy the patch: back up before patching, install the patch, verify the instance is running
- Communicate to the team: add a note to the incident in SDP, email management with a summary
- Post-patch verification: check the Admin Console build number, confirm the instance is on the patched version
Summary
ManageEngine has a history of CVEs, like any enterprise software. Transparent vendor communication, fast patches and your proactive security posture together form a solid defense. A detailed plan for Windows Server 2026 patch management is covered in a separate article.
Key takeaways:
- Stay on the current version - that is 90% of security
- Monitor Security Advisories: subscribe to email from manageengine.com/security/
- Hardening: reverse proxy, HTTPS, 2FA, IP whitelist, network isolation
- Monitoring: collect and analyze logs, set SIEM alerts
- Response plan: have a procedure, patch SLAs, maintenance window
- For MSPs serving many clients: ManageEngine vs NinjaOne comparison will help pick the right stack for compliance.
- Planning a ManageEngine rollout from scratch? See what a ManageEngine implementation in Poland looks like. Hardening is part of that process, not a separate project.
If you need help with a security assessment of your ManageEngine instance, patch planning or hardening of an ITSM environment, get in touch. Rotech Group implements ManageEngine as a certified partner (3PRO Gold Partner via MWT Solutions) and helps companies in Poland operate ManageEngine environments safely.