CVE-2021-37420
Description
Zoho ManageEngine ADSelfService Plus before 6112 is vulnerable to mail spoofing.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An unauthenticated attacker can spoof emails to domain users via MIME injection in Zoho ManageEngine ADSelfService Plus before build 6112.
Vulnerability
A mail spoofing vulnerability exists in Zoho ManageEngine ADSelfService Plus before build 6112. The /RestAPI/PasswordSelfServiceAPI endpoint does not sanitize user-supplied input, allowing an attacker to perform Name/E-mail MIME injection. This enables the crafting of arbitrary email content sent to any domain user. The affected product versions are those prior to the 6112 build. [1] [2]
Exploitation
An unauthenticated attacker can send specially crafted requests to the vulnerable endpoint. No authentication is required. A proof-of-concept script is publicly available. The attacker must configure a mail server in ADSelfService Plus and ensure the target user has an email address set in Active Directory. The script modifies specific parameters to inject arbitrary HTML content into outgoing emails. [2]
Impact
Successful exploitation allows an attacker to send emails with arbitrary content to any domain user, impersonating legitimate system communications. This can be used for phishing attacks, social engineering, or other email-based deception. The impact is limited to integrity (email content spoofing) as the attacker does not gain access to user accounts or system data. [2]
Mitigation
The vulnerability is fixed in build 6112 of Zoho ManageEngine ADSelfService Plus, released on 26 August 2021. Users should upgrade to this version or later. No workarounds are documented. The vendor was notified on 7 May 2021, and the fix was released on 26 August 2021. There is no indication this CVE is listed in CISA's Known Exploited Vulnerabilities catalog. [2]
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Zoho/ManageEngine ADSelfService Plusdescription
- Range: <6112
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in the `/RestAPI/PasswordSelfServiceAPI` endpoint allows MIME header injection, enabling email spoofing."
Attack vector
An unauthenticated attacker sends specially crafted HTTP requests to the `/RestAPI/PasswordSelfServiceAPI` endpoint, injecting malicious MIME header content into the email parameters [ref_id=1]. The attacker must know a valid domain username (with an email address set in Active Directory) and the target ADSSP server URL [ref_id=1]. Because the endpoint does not validate or sanitize the email-related parameters, the attacker can forge the sender name and email address, as well as control the HTML body of the email sent to the victim [ref_id=1]. The attack requires no authentication and is performed over the network, with the only user interaction being the victim receiving and opening the phishing email [ref_id=1].
Affected code
The vulnerable endpoint is `/RestAPI/PasswordSelfServiceAPI` in Zoho ManageEngine ADSelfService Plus versions before 6112 [ref_id=1]. The researcher write-up identifies this as a "NameE-mail MIME injection" vulnerability, indicating the API endpoint does not properly sanitize user-supplied input before constructing email MIME headers [ref_id=1].
What the fix does
The vendor fixed the vulnerability in version 6112 of ManageEngine ADSelfService Plus [ref_id=1]. The advisory does not include a patch diff, but the fix addresses the MIME injection by properly sanitizing or validating user-supplied input in the email parameters passed to the `/RestAPI/PasswordSelfServiceAPI` endpoint, preventing attackers from injecting arbitrary email headers or content [ref_id=1].
Preconditions
- configMail server must be configured in ADSelfService Plus
- inputAttacker must know a valid domain username that has an email address set in Active Directory
- inputAttacker must know the ADSSP server URL
- authNo authentication required
Reproduction
1. Configure a mail server in ADSelfService Plus. 2. Ensure the target "victim" user has an email address set in Active Directory. 3. Modify the following parameters in the CVE-2021-37420.py script: URL (ADSSP server URL), DOMAIN (FQDN), USERNAME (AD username, not email), HTML_CONTENT (phishing email body). 4. Execute the script — the victim user receives the spoofed email [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- blog.stmcyber.com/vulns/cve-2021-37420/mitrex_refsource_MISC
- pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6112-hotfix-releasemitrex_refsource_MISC
- www.manageengine.commitrex_refsource_MISC
News mentions
0No linked articles in our index yet.