vulnerability
Zoho ManageEngine ADSelfService Plus: Unauthenticated Remote Code Execution RCE Vulnerability (CVE-2021-40539)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 10 | (AV:N/AC:L/Au:N/C:C/I:C/A:C) | 09/07/2021 | 09/14/2021 | 03/05/2025 |
Severity
10
CVSS
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Published
09/07/2021
Added
09/14/2021
Modified
03/05/2025
Description
The Rest API URLs are authenticated by a specific security filter in ADSelfService Plus.Attackers used specially crafted Rest API URLs that were able to bypass this security filter due to an error in normalizing the URLs before validation. This, in turn, gave attackers access to REST API endpoints, and they exploited the endpoints to perform subsequent attacks such as arbitrary command execution.
Solution
zoho-manageengine-adselfservice-plus-upgrade-latest
References
- CVE-2021-40539
- https://attackerkb.com/topics/CVE-2021-40539
- URL-https://www.manageengine.com
- URL-https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html
- URL-http://packetstormsecurity.com/files/165085/ManageEngine-ADSelfService-Plus-Authentication-Bypass-Code-Execution.html
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.