CVE-2021-37926

Vulnerability

Zoho ManageEngine ADManager Plus versions 7110 and prior contain an unrestricted file upload vulnerability in the web interface. An attacker can upload arbitrary files without proper validation, leading to remote code execution. The vulnerability exists in the file upload functionality, which does not restrict file types or paths. [1]

Exploitation

An attacker with network access to the ADManager Plus web console can exploit this vulnerability by uploading a malicious file, such as a JSP web shell, to the server. No authentication is required if the upload endpoint is exposed, but in typical deployments, administrative access may be needed. The uploaded file can then be accessed via the web server, allowing execution of arbitrary commands.

Impact

Successful exploitation allows an attacker to execute arbitrary code on the server with the privileges of the web application (typically SYSTEM or a high-privilege account). This leads to full compromise of the ADManager Plus server and potentially the Active Directory environment it manages.

Mitigation

Zoho released version 7111 to fix this vulnerability. Users should upgrade to ADManager Plus build 7111 or later. No workarounds are documented. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog as of the publication date.