CVE-2021-37930

Vulnerability

Zoho ManageEngine ADManager Plus versions 7110 and prior are vulnerable to unrestricted file upload. The vulnerability allows an attacker to upload arbitrary files without proper validation, which can lead to remote code execution. The exact component is not detailed in the description, but the flaw exists in the file upload functionality. Affected versions: 7110 and earlier.

Exploitation

Specific exploitation details are not disclosed in the available references. Based on the nature of unrestricted file upload, an attacker with network access to the ADManager Plus web console (potentially without authentication if the upload endpoint is exposed) can upload a malicious file such as a JSP web shell. The uploaded file can then be executed on the server.

Impact

Successful exploitation allows an attacker to achieve remote code execution on the server hosting ADManager Plus. This can lead to full compromise of the application and underlying operating system, including data theft, lateral movement, and further attacks.

Mitigation

The vulnerability is fixed in ManageEngine ADManager Plus version 7111 and later. Users should upgrade to version 7111 or the latest available build. No workarounds have been published. The fix is referenced in the release notes [1].