Command injection in Zoho ManageEngine ServiceDesk Plus

Published: 2022-11-24
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2022-40770
Exploitation vector Network
Public exploit N/A
Vulnerable software
Zoho ManageEngine ServiceDesk Plus
Web applications / Remote management & hosting panels

Vendor Zoho Corporation

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Command Injection

EUVDB-ID: #VU69556

Risk: Low


CVE-ID: CVE-2022-40770

CWE-ID: CWE-77 - Command injection

Exploit availability: No


The vulnerability allows a remote user to execute arbitrary code on the system.

The vulnerability exists due to improper input validation within the invokeDataUploadTool() function when handling data passed via the fields required to configure the Analytics Plus integration. A remote privileged user can inject and execute arbitrary commands on the system.


Install updates from vendor's website.

Vulnerable software versions

Zoho ManageEngine ServiceDesk Plus: 13.0 13000 - 13.0 13010

CPE2.3 External links

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?