ManageEngine ADSelfService Plus - Remote Code Execution (CVE-2021-40539)

Name: ManageEngine ADSelfService Plus - Remote Code Execution (CVE-2021-40539)
Published: 2021-10-27T00:00:00.000Z

Severity
CVE: CVE-2021-40539
CVSSv3 Score: 9.8
Exploitable with Sniper: Yes
Vulnerability description: ManageEngine ADSelfService Plus is affected by an unauthenticated Remote Code Execution vulnerability, located in the REST API routing service. The root cause of this vulnerability consists in a change done to the path normalization.
Exploit capabilities: Sniper can gain unauthenticated Remote Code Execution on the target system and extract multiple artefacts as evidence.
Risk description: The risk exists that a remote unauthenticated attacker can fully compromise the server in order to steal sensitive information, install ransomware or pivot to the internal network.
Recommendation: Upgrade the ManageEngine ADSelfService Plus to a version higher than 6113.
References: https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html
Detectable with: Network Scanner
Vuln date: Sep 2021
Published at: Oct 2021
Updated at: Feb 2022
Software Type: Password management
Vendor: ManageEngine
Product: ADSelfService Plus
Codename: Not available