CVE-2021-37923

Vulnerability

A critical vulnerability in Zoho ManageEngine ADManager Plus versions 7110 and prior allows unrestricted file upload. The product fails to properly validate or restrict the types of files that can be uploaded, enabling an attacker to upload arbitrary files including executable code. The vulnerability is rooted in the file upload functionality, which is reachable without specific authentication requirements in the default configuration, as described in the CVE description [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the affected server, uploading a file containing malicious code. No authentication is required, and the attacker does not need prior access to the system. The attack can be executed remotely over the network, and no user interaction is needed. The attacker simply submits a file upload request with a payload that will be stored on the server [1].

Impact

Successful exploitation allows the attacker to achieve remote code execution on the vulnerable server. This means the attacker can run arbitrary commands with the privileges of the application, potentially leading to full compromise of the server, including data exfiltration, installation of malware, or further lateral movement within the network. The impact is critical due to the potential for complete system compromise, as evidenced by the CVSS score associated with this CVE [1].

Mitigation

The vulnerability is fixed in ManageEngine ADManager Plus build 7111 and later. Users are strongly advised to upgrade to the latest version. The release notes for version 7111 confirm the fix for this issue [1]. No workarounds are documented. If upgrading is not immediately possible, consider restricting network access to the ADManager Plus interface and implementing web application firewall rules to block suspicious file uploads, but these are not confirmed mitigations [1].