CVE-2021-37925

Vulnerability

Zoho ManageEngine ADManager Plus versions 7110 and prior contain a post-authentication OS command injection vulnerability. The vulnerability exists in an unspecified component that allows authenticated users to inject operating system commands. [1] describes the fix in version 7111.

Exploitation

An attacker must have valid authentication credentials to the ADManager Plus web interface. With authenticated access, the attacker can send crafted requests that inject OS commands into a vulnerable parameter or function. No additional privileges or user interaction beyond authentication is required.

Impact

Successful exploitation allows an authenticated attacker to execute arbitrary operating system commands on the underlying server with the privileges of the application process. This can lead to full compromise of the ADManager Plus server, including data exfiltration, lateral movement, and further attacks.

Mitigation

The vulnerability is fixed in Zoho ManageEngine ADManager Plus version 7111 and later. [1] provides the release notes for version 7111. Users should upgrade to version 7111 or the latest available build. No workarounds are documented in the available references.