Security advisory

ServiceDesk Plus - MSP Support Portal Home » Helpdesk Software Features

Authentication bypass vulnerability in Active Directory/LDAP authentication

CVE ID: CVE-2023-22964

Severity: Critical

Product Name Affected version(s) Fixed version(s) Fixed On
ManageEngine ServiceDesk Plus MSP 10600 to 10610 10611 Jan 5, 2023
13000 to 13003 13004 Jan 5, 2023


A flaw in the LDAP authentication process for user details imported from LDAP server, when modified manually or through an API, allows an adversary to log in to the application using any random input as the password.

This vulnerability is applicable only when LDAP authentication is enabled.


An adversary can bypass the authentication and log in to the ServiceDesk Plus MSP application.


Customers can disable LDAP authentication in ServiceDesk Plus MSP.


Customers must upgrade to the latest version of ManageEngine ServiceDesk Plus MSP.

Steps to upgrade:

Customers using versions 13000 to 13003 can upgrade to the latest version (13004) and customers using versions 10600 to 10610 can upgrade to 10611 using the appropriate migration path listed here.