CVE-2021-37918

Vulnerability

An unrestricted file upload vulnerability exists in Zoho ManageEngine ADManager Plus versions 7110 and prior [1]. The software fails to properly validate or restrict the types of files that can be uploaded, allowing an attacker to upload arbitrary files including executable scripts to the server [1]. This issue is addressed in version 7111 and later [1].

Exploitation

An attacker with network access to the ADManager Plus web interface can exploit this vulnerability by crafting a malicious file, such as a JSP web shell, and uploading it through an affected file upload function [1]. No authentication is required, and the attacker does not need any special privileges to trigger the vulnerable code path [1]. The upload can be performed using standard HTTP requests to the vulnerable endpoint [1].

Impact

Successful exploitation leads to remote code execution (RCE) on the server with the privileges of the web application (typically SYSTEM or a highly privileged service account) [1]. The attacker can then execute arbitrary commands, install malware, exfiltrate data, or pivot to other systems in the network [1]. This represents a complete compromise of confidentiality, integrity, and availability of the affected system [1].

Mitigation

Zoho released version 7111 on an unspecified date to fix this vulnerability [1]. Users should upgrade to ADManager Plus version 7111 or later immediately [1]. No workarounds have been published for unpatched versions [1]. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.