CVE-2021-38298

Vulnerability

A blind XML External Entity (XXE) vulnerability exists in Zoho ManageEngine ADManager Plus prior to build 7110 [1]. The flaw is triggered when the application parses specially crafted XML input without proper external entity restriction, allowing attackers to enumerate files and services on the host system.

Exploitation

An attacker can exploit this vulnerability by sending a malicious XML payload to the affected endpoints. No authentication is explicitly required for the vulnerable code path; however, some report sources indicate that only authenticated users with certain permissions may reach the parsing routine. The attacker needs network access to the ADManager Plus web interface. The attack does not require user interaction beyond the initial request, and exploitation is blind — meaning the attacker must use out-of-band techniques (e.g., DNS or HTTP exfiltration) to retrieve the data.

Impact

Successful exploitation allows an attacker to read arbitrary files from the server filesystem, perform server-side request forgery (SSRF) to probe internal services, and potentially leak sensitive configuration data or credentials. The compromise is limited to information disclosure rather than full remote code execution, but the disclosed data can enable further attacks.

Mitigation

The vulnerability is fixed in Zoho ManageEngine ADManager Plus build 7110, released on October 7, 2021 [1]. All prior builds are vulnerable. Customers should upgrade immediately to build 7110 or later. No workarounds have been published. The CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of this writing.