CVE-2021-37761

Vulnerability

Zoho ManageEngine ADManager Plus version 7110 and prior is vulnerable to unrestricted file upload, allowing an attacker to upload arbitrary files to the server. This vulnerability resides in the file upload functionality and does not require special configuration beyond default settings. Affected versions: ADManager Plus 7110 and all earlier versions.

Exploitation

An attacker with network access to the ADManager Plus web interface can exploit this vulnerability by uploading a malicious file (e.g., a JSP web shell) via the vulnerable upload endpoint. No authentication is explicitly mentioned in the description, but typical deployments require admin access. The attacker then accesses the uploaded file to execute arbitrary commands.

Impact

Successful exploitation allows an attacker to execute arbitrary code on the server with the privileges of the ADManager Plus application, leading to full compromise of the affected system.

Mitigation

Upgrade to ADManager Plus version 7111 or later, which fixes this vulnerability. As per the vendor's release notes [1], this issue is addressed in build 7111. No workarounds are documented. If upgrade is not possible, restrict access to the file upload functionality via network controls.