ManageEngine ADSelfService Plus - Remote Code Execution (CVE-2021-40539)
- Severity
- CVSSv3 Score
- 9.8
- Vulnerability description
ManageEngine ADSelfService Plus is affected by an unauthenticated Remote Code Execution vulnerability, located in the REST API routing service. The root cause of this vulnerability consists in a change done to the path normalization.
- Risk description
The risk exists that a remote unauthenticated attacker can fully compromise the server in order to steal sensitive information, install ransomware or pivot to the internal network.
- Exploit capabilities
Sniper can gain unauthenticated Remote Code Execution on the target system and extract multiple artefacts as evidence.
- Recommendation
Upgrade the ManageEngine ADSelfService Plus to a version higher than 6113.
- Codename
- Not available
- Detectable with
- Network Scanner
- Exploitable with Sniper
- Yes
- Vuln date
- Sep 2021
- Published at
- Updated at
- Software Type
- Password management
- Vendor
- ManageEngine
- Product
- ADSelfService Plus