CVE-2021-33055
Description
Zoho ManageEngine ADSelfService Plus through 6102 allows unauthenticated remote code execution in non-English editions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An unauthenticated RCE in Zoho ManageEngine ADSelfService Plus through 6102 via PowerShell injection, exploitable in non-English Windows locales.
Vulnerability
An unauthenticated remote code execution vulnerability exists in Zoho ManageEngine ADSelfService Plus through version 6102. The bug is in the user password change functionality, which uses a PowerShell script on certain Windows versions. User-supplied credentials are not properly sanitized before being inserted into the script, allowing PowerShell script injection. The issue is system-locale dependent and only exploitable when the product is installed on Japanese Windows (and potentially other non-English locales) [1].
Exploitation
An unauthenticated attacker can trigger the vulnerability by sending a specially crafted request to the password change endpoint. The attacker needs no authentication but must be able to reach the ADSSP server over the network. The exploit requires the target server to be running a supported non-English Windows locale (e.g., Japanese). A proof-of-concept script is available that allows executing arbitrary commands on the server [1].
Impact
Successful exploitation allows the attacker to execute arbitrary commands on the ADSSP server with the privileges of the ADSSP service account. This leads to full compromise of confidentiality, integrity, and availability (RCE) of the server and potentially the connected Active Directory domain [1].
Mitigation
The vendor released a fix in version 6105 on 26 May 2021. All users of versions below 6105 should upgrade to 6105 or later. No workaround is provided by the vendor, so upgrading is the only mitigation. This CVE is not listed in CISA KEV [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Zoho/ManageEngine ADSelfService Plusdescription
- Range: <=6102
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"User-supplied credentials are inserted into a PowerShell script without sanitization, allowing PowerShell injection."
Attack vector
An unauthenticated attacker sends a crafted password-change request to the ADSelfService Plus server. The application, when running on a non-English Windows edition (system-locale dependent), inserts the attacker-controlled credentials into a PowerShell script without sanitization [ref_id=1]. By embedding PowerShell metacharacters in the credential fields, the attacker can break out of the intended command and execute arbitrary commands on the server. The CVSS vector indicates network-based exploitation with high complexity due to the locale dependency [ref_id=1].
Affected code
The vulnerability exists in the password-change functionality of ManageEngine ADSelfService Plus. When the application is installed on a non-English Windows system (e.g., Japanese Windows), user-supplied credentials are inserted into a dynamically generated PowerShell script without proper sanitization [ref_id=1]. The exact file path is not disclosed in the advisory.
What the fix does
The vendor released version 6105, which fixes the vulnerability [ref_id=1]. The advisory does not include a patch diff, but the remediation involves properly sanitizing user-supplied input before inserting it into PowerShell scripts, preventing injection of arbitrary PowerShell commands [ref_id=1]. Users should upgrade to version 6105 or later.
Preconditions
- configADSelfService Plus must be installed on a non-English Windows edition (system locale dependent, e.g., Japanese Windows)
- configThe application must be configured with an Active Directory domain
- authNo authentication is required (unauthenticated exploitation)
- networkAttacker must be able to reach the ADSSP web interface over the network
- inputAttacker supplies crafted credential fields containing PowerShell metacharacters
Reproduction
Download CVE-2021-33055.py and modify the URL (ADSSP address running on Japanese Windows), DOMAIN (Active Directory domain configured in ADSSP), and CMD (command to execute) variables. Execute the script with Python 3; the command defined in CMD will be executed on the ADSSP server [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- blog.stmcyber.com/vulns/cve-2021-33055/mitrex_refsource_MISC
- pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6104-releasedmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.