CVE-2021-37924

Vulnerability

An unrestricted file upload vulnerability exists in Zoho ManageEngine ADManager Plus version 7110 and prior [1]. The product fails to properly validate or restrict the types of files that can be uploaded, allowing an attacker to upload arbitrary files to the server [1]. This vulnerability is present in the file upload functionality across affected versions.

Exploitation

An attacker with network access to the application can exploit this vulnerability by sending a crafted HTTP request containing a malicious file (e.g., a JSP web shell) to the file upload endpoint [1]. No authentication is mentioned as a requirement in the original disclosure, but typical file upload features may require some level of access. The attack does not require user interaction beyond the initial upload action.

Impact

Successful exploitation allows an attacker to achieve remote code execution on the underlying server with the privileges of the application process [1]. This can lead to full compromise of the affected system, including data exfiltration, lateral movement, and further attacks within the network.

Mitigation

Zoho released version 7111 which fixes this vulnerability [1]. All organizations running ADManager Plus version 7110 or earlier should upgrade to version 7111 or later immediately. No workarounds are documented in the available references.