HomePentest-Tools.com Logo

ManageEngine ADSelfService Plus - Remote Code Execution (CVE-2021-40539)

Severity
CVSSv3 Score
9.8
Exploitable with Sniper
Yes
Vulnerability description

ManageEngine ADSelfService Plus is affected by an unauthenticated Remote Code Execution vulnerability, located in the REST API routing service. The root cause of this vulnerability consists in a change done to the path normalization.

Exploit capabilities

Sniper can gain unauthenticated Remote Code Execution on the target system and extract multiple artefacts as evidence.

Risk description

The risk exists that a remote unauthenticated attacker can fully compromise the server in order to steal sensitive information, install ransomware or pivot to the internal network.

Recommendation

Upgrade the ManageEngine ADSelfService Plus to a version higher than 6113.

Detectable with
Network Scanner
Vuln date
Sep 2021
Published at
Updated at
Software Type
Password management
Vendor
ManageEngine
Product
ADSelfService Plus
Codename
Not available