CVE-2021-42099

Vulnerability

Zoho ManageEngine M365 Manager Plus before build 4421 contains a file-upload vulnerability that allows an attacker to upload arbitrary files, including executable code, to the server. The vulnerability exists in the file upload functionality of the application. Affected versions are all prior to build 4421 [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the file upload endpoint, uploading a malicious file (e.g., a JSP web shell) without requiring authentication. The attacker does not need any special privileges or user interaction. The uploaded file is then accessible on the server, allowing the attacker to execute arbitrary code.

Impact

Successful exploitation results in remote code execution on the underlying server with the privileges of the application process. This can lead to full compromise of the M365 Manager Plus instance and potentially the underlying system, including data exfiltration, lateral movement, and further attacks.

Mitigation

The vulnerability is fixed in build 4421 of Zoho ManageEngine M365 Manager Plus, released on an unspecified date. Users should upgrade to build 4421 or later immediately [1]. No workarounds are documented in the available references.