CVE-2021-37417
Description
Zoho ManageEngine ADSelfService Plus version 6103 and prior allows CAPTCHA bypass due to improper parameter validation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CAPTCHA bypass in Zoho ManageEngine ADSelfService Plus via the EXCLUDE_CAPTCHA parameter allows credential brute-force attacks.
Vulnerability
Zoho ManageEngine ADSelfService Plus version 6103 and prior contains a CAPTCHA bypass vulnerability. The web application fails to properly validate the EXCLUDE_CAPTCHA parameter in the login request to the /j_security_check endpoint. An attacker can append EXCLUDE_CAPTCHA=true to the request body to bypass the CAPTCHA check, even when the "Show CAPTCHA on Login Page every time" setting is enabled [1].
Exploitation
An attacker with network access to the login page can exploit this by intercepting the HTTP POST request (e.g., using a proxy like Burp Suite). The attacker enters any value in the CAPTCHA field, then adds the EXCLUDE_CAPTCHA=true parameter to the request body. The server processes the request and logs the user in, despite the incorrect CAPTCHA value. This requires no authentication beforehand and can be performed remotely [1].
Impact
Successful exploitation allows the attacker to bypass the CAPTCHA mechanism, enabling automated brute-force attacks on user credentials. While the vulnerability does not directly lead to information disclosure or remote code execution, it significantly weakens a login security control, potentially leading to account compromise. The CVSS score 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) reflects the low availability impact, but the real-world impact is facilitating credential attacks [1].
Mitigation
The vulnerability is fixed in version 6104, released on 08-05-2021. Users should upgrade to ManageEngine ADSelfService Plus version 6104 or later. No workarounds are documented. The vendor was notified on 17-03-2021, and the fix was released approximately two months later [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Zoho/ManageEngine ADSelfService Plusdescription
- Range: <=6103
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Improper parameter validation allows the EXCLUDE_CAPTCHA parameter to disable CAPTCHA verification."
Attack vector
An attacker sends a standard login POST request to `/j_security_check` but appends `EXCLUDE_CAPTCHA=true` to the request body. The server processes this parameter and skips CAPTCHA verification, allowing login even when the CAPTCHA value is incorrect. This enables automated brute-force attacks against user credentials without solving the CAPTCHA [ref_id=1]. No authentication or special network position is required; the attacker only needs to reach the login page over the network.
Affected code
The login endpoint `/j_security_check` in ManageEngine ADSelfService Plus accepts an `EXCLUDE_CAPTCHA` parameter in the POST body. The server does not validate this parameter, allowing an attacker to bypass the CAPTCHA check entirely [ref_id=1].
What the fix does
The advisory does not include a patch diff, but the vendor resolved the issue in version 6104 by removing or properly validating the `EXCLUDE_CAPTCHA` parameter so that it cannot be used to bypass the CAPTCHA check [ref_id=1]. Users should upgrade to version 6104 or later to remediate the vulnerability.
Preconditions
- configThe 'Show CAPTCHA on Login Page every time' option must be enabled in ADSelfService Plus settings.
- networkAttacker must be able to send HTTP POST requests to the /j_security_check endpoint.
- inputAttacker must supply valid or guessed username/password credentials.
Reproduction
1. Enable "Show CAPTCHA on Login Page every time" in ADSSP settings. 2. Set up an intercepting proxy (e.g., Burp Suite). 3. Navigate to the login page, enter a valid username and password, and enter any value in the CAPTCHA field. 4. Intercept the HTTP POST request to `/j_security_check` and add `EXCLUDE_CAPTCHA=true` to the request body. 5. Send the modified request; the user is logged in despite providing a wrong CAPTCHA value [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- blog.stmcyber.com/vulns/cve-2021-37417/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.