Vulnerability Details CVE-2021-40539
Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.944
EPSS Ranking 100.0%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
Proposed Action
Zoho ManageEngine ADSelfService Plus contains an authentication bypass vulnerability affecting the REST API URLs which allow for remote code execution.
Ransomware Campaign
Known
References
- http://packetstormsecurity.com/files/165085/ManageEngine-ADSelfService-Plus-Authentication-Bypass-Code-Execution.html
- https://www.manageengine.com
- https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html
- http://packetstormsecurity.com/files/165085/ManageEngine-ADSelfService-Plus-Authentication-Bypass-Code-Execution.html
- https://www.manageengine.com
- https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html
Products affected by CVE-2021-40539
-
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5
-
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0
-
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0.6
-
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1
-
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.2
-
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3
-
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.4
-
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5
-
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.6
-
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7
-
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8
-
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0
-
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1