vulnerability

Zoho ManageEngine ADSelfService Plus: CVE-2026-2740: Authenticate Remote Code Execution

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
8	(AV:N/AC:M/Au:S/C:C/I:C/A:P)	Feb 5, 2026	May 25, 2026	May 25, 2026

Severity

CVSS

(AV:N/AC:M/Au:S/C:C/I:C/A:P)

Published

Feb 5, 2026

Added

May 25, 2026

Modified

May 25, 2026

Description

Zohocorp ManageEngine ADSelfService Plus versions before 6525 DataSecurity Plus before 6264 and RecoveryManager Plus before 6313 are vulnerable to Authenticated Remote code execution in the agent machines due to the bug in the 3rd party dependency.

Solution

zoho-manageengine-adselfservice-plus-upgrade-latest

References

CWE-77
CVE-2026-2740
https://attackerkb.com/topics/CVE-2026-2740
https://www.manageengine.com/products/self-service-password/advisory/CVE-2026-2740.html
https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-31283

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report