Security advisory

RCE vulnerability when integrating with Analytics Plus.

CVE ID : CVE-2022-40770

Product Name Severity Affected Version(s) Fixed Version(s) Fixed On
ServiceDesk Plus Medium 13010 and below 13011 Sept. 27, 2022
ServiceDesk Plus MSP Medium 10610 and below 13000 Oct 13, 2022
SupportCenter Plus Medium 11025 and below 11026 Oct. 28, 2022


The input fields needed to configure the Analytics Plus integration with ServiceDesk Plus, ServiceDesk Plus MSP, and SupportCenter Plus are vulnerable to remote command execution (RCE). Threat actors with admin role access can add malicious commands or scripts to these input fields during the setup of the integration and execute them.


This vulnerability allows a threat actor with admin role access to execute arbitrary commands and carry out any subsequent attacks.

Steps to upgrade

  1. Download the latest upgrade pack from the following links for the respective product:
  2. Apply the latest build to your existing product installation as per the upgrade pack instructions provided in the above links.


This vulnerability was reported by Piotr Bazydlo (@chudypb) of Trend Micro's Zero Day Initiative.

If you have any questions or concerns, please contact product support for further details at the below-mentioned email addresses.

ServiceDesk Plus:

ServiceDesk Plus MSP:

SupportCenter Plus:

Let's support faster, easier, and together