CVE-2021-37920

Vulnerability

Zoho ManageEngine ADManager Plus versions 7110 and prior contain an unrestricted file upload vulnerability [1]. This bug is located in the file upload functionality of the application, which does not properly validate or restrict the types of files that can be uploaded. The vulnerability allows an attacker to upload arbitrary files, including executable scripts, to the server. Versions prior to 7111 are affected.

Exploitation

An attacker needs network access to the ManageEngine ADManager Plus web interface [2]. No authentication is required to reach the vulnerable file upload endpoint. The attacker can upload a malicious web shell or script file via the upload feature, then access the uploaded file remotely to execute commands on the server.

Impact

Successful exploitation results in remote code execution with the privileges of the web server process [1]. This leads to complete compromise of the ADManager Plus server and potentially the underlying Active Directory infrastructure, allowing data exfiltration, lateral movement, and further attacks on the network.

Mitigation

Zoho released version 7111 on October 7, 2021, which fixes this vulnerability [1]. Users should upgrade to version 7111 or later immediately. There is no workaround available for unpatched versions. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.