vulnerability

Zoho ManageEngine ADSelfService Plus: Unauthenticated Remote Code Execution RCE Vulnerability (CVE-2021-33055)

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
10	(AV:N/AC:L/Au:N/C:C/I:C/A:C)	May 26, 2021	Dec 18, 2024	Dec 18, 2024

Severity

CVSS

(AV:N/AC:L/Au:N/C:C/I:C/A:C)

Published

May 26, 2021

Added

Dec 18, 2024

Modified

Dec 18, 2024

Description

ADSelfService Plus employs PowerShell scripts to achieve the functionality of features such as password synchronization. Unicodes General Punctuation block contains symbols composed of multiple singlequotes and double-quotes. When these symbols are included in PowerShell scripts, they can be used to begin and end strings. However since these symbols are not considered as Unicode-encoded by PowerShell, they may be misused to perform PowerShell injection attacks.

Solution

zoho-manageengine-adselfservice-plus-upgrade-latest

References

CVE-2021-33055
https://attackerkb.com/topics/CVE-2021-33055
URL-https://blog.stmcyber.com/vulns/cve-2021-33055/
URL-https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6104-released

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today