This is a security advisory regarding a possible authentication bypass vulnerability in ServiceDesk Plus, which has been identified and rectified. On-premises users of ServiceDesk Plus version 10511 to 11133 who have enabled SAML authentication are affected by this vulnerability and advised to update to the latest version (11134) immediately.

Severity: High

Impact: This vulnerability might be exploited to log in to a ServiceDesk Plus installation with administrative privileges to access information or change service desk configurations, both of which can be used to provide unauthorized access to user data or aid subsequent attacks. To do so, an attacker would need to carry out two steps. First, they would need to enter the credentials of any service desk user’s account. Then they would need to alter the parameter ‘username’ to another username with administrative privileges after SAML validation. This would require the attacker to know three pieces of information: the user credentials of any service desk account, the username of an administrator account, and the domain details.

What led to the vulnerability?

The security check process used by ServiceDesk Plus to authenticate the username and the user domain post SAML validation had a vulnerability that made it possible to change the parameter ‘username’ post SAML validation.


This vulnerability could be exploited to log in to a ServiceDesk Plus installation as an administrator.

Who is affected?

This vulnerability affects customers of any edition of ServiceDesk Plus (on-premises) using version 10511 to 11133 who have SAML authentication enabled.

How have we fixed it?

This particular vulnerability has been addressed in ServiceDesk Plus 11134 by fixing the security check mechanism such that authentication occurs with the username and domain details stored securely rather than from direct incoming parameters that can be tampered with easily.

How to find out if you are affected

Click the Help link in the top-right corner of the ServiceDesk Plus web client. Select the About option from the drop-down to see your current version. If your current version is between 10511 and 11133 and you are using SAML authentication, you might be affected.

What customers should do

ServiceDesk Plus versions 11100 to 11133

Download the upgrade pack from https://www.manageengine.com/products/service-desk/service-packs.html and immediately upgrade to the latest version (11134).

ServiceDesk Plus versions 10511 to 11010

Please follow this forum post for further updates. Alternatively, you can upgrade to the latest version (11134) using the appropriate migration path here: https://www.manageengine.com/products/service-desk/on-premises/service-packs.html

Please read the upgrade instructions carefully before beginning the upgrade. For assistance, write to support@servicedeskplus.com or call us toll-free at +1.888.720.9500.

Important note: As always, make a copy of the entire ServiceDesk Plus installation folder before applying the upgrade, and keep the copy in a separate location. If anything goes wrong during the upgrade, you’ll have this copy as a backup, which will keep all your settings intact. If you’re using an MS SQL server as a back-end database, back up the ServiceDesk Plus database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.

Security AdvisoryService Desk

You may be interested in these other recent articles

29 Jun

Gartner® Magic Quadrant™ Recognising ManageEngine for the 10th time!

29 June 2022 | Nazim Nadir


Gartner® Magic Quadrant™ is a great way to gain objective insights into application performance monitoring (APM) market and its vendors. ManageEngine Applications Manager and site24x7…

Read more
18 Feb

ManageEngine’s IAM and Cybersecurity On-Demand Events Hub

18 February 2022 | Joshua Ball


Watch webinars on demand and listen to podcasts at your convenience. ManageEngine has launched their IAM and Cybersecurity on-demand events hub, a one-stop shop for on-demand webinars and podcasts. At the on-demand events hub, you’ll find:   Carefully curated on-demand webinars from seven unique categories. Over 40 podcast episodes (and counting) on IAM and cybersecurity from three different podcast shows. ​ The webinars and podcasts are regularly updated, so watch this space to ensure you don’t miss out on the latest episodes!​​ Sign up today by clicking here. To find out more…

Read more
8 Sep

ManageEngine positioned in the Gartner® Magic Quadrant™ for ITSM Tools for the second consecutive year

8 September 2021 | Nigel Arnold


The 2021 Gartner® Magic Quadrant™ for IT Service Management Tools is out, and ManageEngine has been included in this year’s report. This is the second…

Read more