Skip to main content
HomePentest-Tools.com Logo

Vulnerabilities & Exploits

ManageEngine ADSelfService Plus - Remote Code Execution (CVE-2021-40539)

Severity
CVSSv3 Score
9.8
CVE
Cybersecurity Infrastructure Security Agency (CISA)CVE-2021-40539
Vulnerability description

ManageEngine ADSelfService Plus is affected by an unauthenticated Remote Code Execution vulnerability, located in the REST API routing service. The root cause of this vulnerability consists in a change done to the path normalization.

Risk description

The risk exists that a remote unauthenticated attacker can fully compromise the server in order to steal sensitive information, install ransomware or pivot to the internal network.

Exploit capabilities

Sniper can gain unauthenticated Remote Code Execution on the target system and extract multiple artefacts as evidence.

Recommendation

Upgrade the ManageEngine ADSelfService Plus to a version higher than 6113.

References

https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html

Codename
Not available
Detectable with
Network Scanner
Exploitable with Sniper
Yes
Vuln date
Sep 2021
Published at
Updated at
Software Type
Password management
Vendor
ManageEngine
Product
ADSelfService Plus