vulnerability
Zoho ManageEngine ADSelfService Plus: CVE-2021-40539: Unauthenticated Remote Code Execution RCE Vulnerability
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:N/AC:L/Au:N/C:P/I:P/A:P) | Sep 7, 2021 | Sep 14, 2021 | Mar 27, 2026 |
Severity
7
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
Sep 7, 2021
Added
Sep 14, 2021
Modified
Mar 27, 2026
Description
The Rest API URLs are authenticated by a specific security filter in ADSelfService Plus.Attackers used specially crafted Rest API URLs that were able to bypass this security filter due to an error in normalizing the URLs before validation. This, in turn, gave attackers access to REST API endpoints, and they exploited the endpoints to perform subsequent attacks such as arbitrary command execution.
Solution
zoho-manageengine-adselfservice-plus-upgrade-latest
References
- CWE-706
- CVE-2021-40539
- https://attackerkb.com/topics/CVE-2021-40539
- http://packetstormsecurity.com/files/165085/ManageEngine-ADSelfService-Plus-Authentication-Bypass-Code-Execution.html
- https://www.manageengine.com
- https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2021-27714
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.