CVE-2021-37539

Vulnerability

Zoho ManageEngine ADManager Plus before build 7111 is vulnerable to an unrestricted file upload issue that can lead to remote code execution [1]. The vulnerability exists in the product's file upload functionality, where an attacker can upload arbitrary files without proper validation or restriction on file types or paths. This allows the upload of executable files such as JSP or other server-side scripts that can be executed in the context of the application. The affected versions are all builds prior to 7111.

Exploitation

An attacker with network access to the ManageEngine ADManager Plus web interface can exploit this vulnerability by sending a crafted HTTP request with a malicious file (e.g., a JSP web shell) to an upload endpoint. No authentication is required for the exploitation, as the unrestricted file upload functionality is accessible to unauthenticated users. The attacker simply uploads the file to a location accessible by the web server, and then accesses the uploaded file via a web browser to trigger its execution.

Impact

Successful exploitation allows the attacker to execute arbitrary code on the target server with the privileges of the application process (typically high, such as NT AUTHORITY\SYSTEM on Windows or root on Linux). This leads to full compromise of the confidentiality, integrity, and availability of the affected system, including the potential for data exfiltration, installation of backdoors, lateral movement within the network, and further attacks.

Mitigation

The vulnerability is fixed in Zoho ManageEngine ADManager Plus build 7111, released on or around September 2021 [1]. Organizations should upgrade to build 7111 or later immediately. If upgrading is not possible, restrict network access to the ADManager Plus web interface to trusted IPs and monitor for unauthorized file uploads as a temporary workaround. This vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.