# Security advisory ## June 22, 2026 A remote code execution vulnerability in the Reports module (Query Report) has been fixed in ServiceDesk Plus MSP version 15150. Please refer to this [security advisory](https://www.manageengine.com/products/service-desk/cve-2026-12507.html) to learn more and upgrade to the latest service pack. ## August 06, 2025 A privilege escalation vulnerability caused by insecure regex in URL paths has been fixed in ServiceDesk Plus MSP version 14940. For more details and steps to upgrade to the latest version, please refer to the associated [security advisory](https://www.manageengine.com/products/service-desk/cve-2025-8309.html). ## May 15, 2025 An Authenticated LFI vulnerability has been fixed in ServiceDesk Plus MSP version 14920. Please refer to this [security advisory](https://www.manageengine.com/products/service-desk-msp/cve-2025-3444.html) to learn more and to upgrade to the latest version. ## March 13, 2025 A stored XSS vulnerability in the Add Task form has been fixed in ServiceDesk Plus MSP version 14910. Please refer to this [security advisory](https://www.manageengine.com/products/service-desk/CVE-2024-50053.html) to learn more and to upgrade to the latest version. ## August 23, 2024 A stored XSS vulnerability is fixed in ServiceDesk Plus MSP version 14810. Please refer to this [security advisory](https://www.manageengine.com/products/service-desk/CVE-2024-41150.html) to learn more and to upgrade to the latest version. ## January 18, 2024 A stored XSS vulnerability in Time Sheets is fixed in ServiceDesk Plus MSP version 14504. Please refer to this [security advisory](https://www.manageengine.com/products/service-desk-msp/CVE-2023-49943.html) to learn more and to upgrade to the latest version. ## July 06, 2023 A privilege escalation vulnerability in the Release module allowed unprivileged users to access the Reminders of a release ticket and modify it. Please refer to this [security advisory](https://www.manageengine.com/products/service-desk/CVE-2023-34197.html) to learn more and to upgrade to the latest version. ## April 25, 2023 A XXE vulnerability in the Reports integration has been fixed in ServiceDesk Plus MSP version 14200. Please refer to this [security advisory](https://www.manageengine.com/products/service-desk/CVE-2023-29443.html) to learn more and to upgrade to the latest version. ## March 06, 2023 A privilege escalation vulnerability in query reports has been fixed in ServiceDesk Plus MSP version 14000. Please refer to this [security advisory](https://www.manageengine.com/products/service-desk/CVE-2023-26600.html) to learn more and to upgrade to the latest version. A Denial of Service vulnerability is fixed in ServiceDesk Plus MSP version 14001. Please refer to this [security advisory](https://www.manageengine.com/products/service-desk/CVE-2023-26601.html) to learn more and to upgrade to the latest version. ## February 14, 2023 A stored XSS vulnerability in the asset details page has been fixed in ServiceDesk Plus MSP version 14000. Please refer to this [security advisory](https://www.manageengine.com/products/service-desk/CVE-2023-23078.html) to learn more and to upgrade to the latest version. A stored XSS vulnerability in the associate Service Requests list view on the Purchase Order details page has been fixed in ServiceDesk Plus MSP version 13002. Please refer to this [security advisory](https://www.manageengine.com/products/service-desk/CVE-2023-23073.html) to learn more and to upgrade to the latest version. ## January 05, 2023 This security advisory addresses a flaw in the LDAP authentication process for user details imported from the LDAP server. Please visit [this link](https://www.manageengine.com/products/service-desk-msp/cve-2023-22964.html) for more information. ## November 19, 2022 An RCE vulnerability when integrating with Analytics Plus has been fixed in ServiceDesk Plus MSP version 13000. Please refer to this [security advisory](https://www.manageengine.com/products/service-desk/CVE-2022-40770.html) to learn more and to upgrade to the latest version. An XXE vulnerability when integrating with Analytics Plus has been fixed in ServiceDesk Plus MSP version 13001. Please refer to this [security advisory](https://www.manageengine.com/products/service-desk/CVE-2022-40771.html) to learn more and to upgrade to the latest version. A privilege escalation vulnerability in query reports has been fixed in ServiceDesk Plus MSP version 10609. Please refer to this [security advisory](https://www.manageengine.com/products/service-desk/CVE-2022-40772.html) to learn more and to upgrade to the latest version. ## Sept 26, 2022 A vulnerability that allows unauthorized access to restricted data has been identified and fixed in versions 10609 and above. Please refer to [this security advisory](https://www.manageengine.com/products/service-desk-msp/cve-2022-40772.html) for more information and upgrade to the latest version. ## Sept 26, 2022 An unauthorized access vulnerability that can disclose privileged data has been identified and fixed in versions 10609 and above. Please refer to [this security advisory](https://www.manageengine.com/products/service-desk-msp/cve-2022-40773.html) for more information and upgrade to the latest version of ServiceDesk Plus. ## July 11, 2022 An unauthenticated local file disclosure vulnerability that allows non-login users to download files has been fixed in version 10606. Please refer to this [security advisory](https://www.manageengine.com/products/service-desk/cve-2022-35403.html) to learn more and upgrade to the latest version. ## June 22, 2022 This security advisory addresses a flaw in handling the request path that made ServiceDesk Plus MSP vulnerable to an unauthenticated arbitrary web-root file disclosure. Please visit [this link](https://www.manageengine.com/products/service-desk-msp/CVE-2022-32551.html) for more information. ## December 04, 2021 This security advisory addresses an authentication bypass vulnerability that affects ServiceDesk Plus MSP versions up to **10532**. Please note that we are noticing exploits of this authentication bypass vulnerability, and we strongly urge all customers using ServiceDesk Plus MSP (all editions) with versions up to 10532 to update to the latest version immediately. ### Severity: Critical ### Impact: This vulnerability can allow an adversary to execute arbitrary code and conduct any subsequent attacks. ### What led to the vulnerability? One of the application filters used for handling state in the list view was not configured properly, and a crafted URL using this filter would enable an authenticated URL to be accessed without proper authentication. ### Who is affected? This vulnerability affects ServiceDesk Plus MSP customers of all editions using versions up to 10532. ### How have we fixed it? We have added additional checks to ensure the filters are properly configured to avoid the authentication bypass vulnerability. ### How to find out if you are affected Click the **Help** link in the top-right corner of the ServiceDesk Plus MSP web client, and select **About** from the drop-down to see your current version. If your current version is 10532 and below, you might be affected. Please follow [this forum post](https://pitstop.manageengine.com/agent/manageengine/servicedesk-plus-msp/community/page#Community/singlepost/security-advisory-authentication-bypass-vulnerabilities-in-servicedesk-plus-msp-that-could-lead-to-remote-code-execution) for any further updates regarding this vulnerability. ### What customers should do Customers who fit the above criteria can upgrade to the latest version (10533) using the [appropriate migration path](https://www.manageengine.com/products/service-desk-msp/service-packs-hotfix.html). Please read the upgrade instructions carefully before beginning the upgrade. For assistance, write to [support@servicedeskplusmsp.com](mailto:support@servicedeskplusmsp.com) or call us toll-free at +1.888.720.9500. **Important note**: As always, make a copy of the entire ServiceDesk Plus MSP installation folder before applying the upgrade, and keep the copy in a separate location. If anything goes wrong during the upgrade, you'll have this copy as a backup, which will keep all your settings intact. If you're using an MS SQL server as a back-end database, back up the ServiceDesk Plus MSP database before upgrading. Once the upgrade is successfully completed, remember to delete the backup. We offer our sincerest apologies for any inconvenience this may have caused. If you have any questions or concerns, please reach out to us at [support@servicedeskplusmsp.com](mailto:support@servicedeskplusmsp.com). Thanks, Umasankar ServiceDesk Plus MSP team.