CVE-2021-42002

Vulnerability

A filter bypass vulnerability exists in Zoho ManageEngine ADManager Plus prior to build 7115. This flaw allows an authenticated user to upload arbitrary files to the server, bypassing the intended restrictions on file types. The vulnerable code path is reachable when a user with valid credentials accesses the file upload functionality. Affected versions: all releases before build 7115.

Exploitation

An attacker needs only authenticated access to the ADManager Plus web interface. No special administrative privileges are required. The attacker crafts a malicious file (e.g., a JSP web shell) that passes the file-type filter and uploads it through the vulnerable upload functionality. Once the file is placed in a web-accessible directory, the attacker can execute arbitrary code on the server.

Impact

Successful exploitation leads to remote code execution (RCE) on the underlying server. The attacker gains full control over the ManageEngine ADManager Plus application and the operating system user under which it runs, typically with high privileges. This can result in complete compromise of confidentiality, integrity, and availability of the affected system and possibly the managed Active Directory environment.

Mitigation

The vulnerability is fixed in Zoho ManageEngine ADManager Plus build 7115 and later. Organizations should upgrade to build 7115 or the latest available build as soon as possible. No workarounds are documented in the available references [1]. The product is still supported and actively maintained.