CVE-2026-2740

Vulnerability

CVE-2026-2740 is an authenticated remote code execution vulnerability in ManageEngine ADSelfService Plus (build 6524 and earlier), DataSecurity Plus (build 6263 and earlier), and RecoveryManager Plus (build 6312 and earlier) [1]. The flaw resides in the service used to deploy the respective product agents on client machines, where improper access controls allow manipulation of the communication channel between server and client [1].

Exploitation

An attacker must be an authenticated domain user to exploit this vulnerability [1]. By accessing the service communication channel between the server and client, the attacker can execute arbitrary commands on client machines where the agent is installed [1]. No additional user interaction is required beyond authentication.

Impact

Successful exploitation allows the attacker to execute arbitrary commands on the agent machine, leading to full remote code execution with the privileges of the agent process [1]. This compromises the confidentiality, integrity, and availability of the affected client systems.

Mitigation

The issue is fixed in ADSelfService Plus build 6525 (released 5 February 2026), DataSecurity Plus build 6264 (released 13 February 2026), and RecoveryManager Plus build 6313 (released 24 March 2026) [1]. Users should upgrade to the respective fixed versions. No workarounds are mentioned in the advisory.