vulnerability
Zoho ManageEngine ADSelfService Plus: Unauthenticated Remote Code Execution RCE Vulnerability (CVE-2021-40539)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 10 | (AV:N/AC:L/Au:N/C:C/I:C/A:C) | Sep 7, 2021 | Sep 14, 2021 | May 14, 2025 |
Severity
10
CVSS
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Published
Sep 7, 2021
Added
Sep 14, 2021
Modified
May 14, 2025
Description
The Rest API URLs are authenticated by a specific security filter in ADSelfService Plus.Attackers used specially crafted Rest API URLs that were able to bypass this security filter due to an error in normalizing the URLs before validation. This, in turn, gave attackers access to REST API endpoints, and they exploited the endpoints to perform subsequent attacks such as arbitrary command execution.
Solution
zoho-manageengine-adselfservice-plus-upgrade-latest
References
- CVE-2021-40539
- https://attackerkb.com/topics/CVE-2021-40539
- URL-http://packetstormsecurity.com/files/165085/ManageEngine-ADSelfService-Plus-Authentication-Bypass-Code-Execution.html
- URL-https://www.manageengine.com
- URL-https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.