CVE-2021-40539
Published: 07 September 2021
Summary
CVE-2021-40539 is a critical-severity Use of Incorrectly-Resolved Name or Reference (CWE-706) vulnerability in Zohocorp Manageengine Adselfservice Plus. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-9 (Service Identification and Authentication).
Deeper analysis
Zoho ManageEngine ADSelfService Plus versions 6113 and earlier contain a REST API authentication bypass vulnerability that leads directly to remote code execution. The flaw is tracked as CVE-2021-40539 and carries a CVSS 3.1 base score of 9.8, reflecting network-accessible exploitation without credentials or user interaction. The affected component is the product's REST API handling, classified under CWE-706.
Unauthenticated attackers can send specially crafted requests to the REST endpoints to circumvent authentication controls and obtain the ability to execute arbitrary code on the underlying server. Successful exploitation grants full control over the ManageEngine instance, including access to stored credentials and the ability to pivot within the managed Active Directory environment.
Vendor guidance published by ManageEngine directs administrators to apply the authentication bypass fix for the REST API; the company has released a knowledge-base article detailing the required remediation steps along with updated builds that address the issue. Public exploit code for the vulnerability has also been posted to Packet Storm.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-27714
Vulnerability details
Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication and authorization decisions on REST API endpoints, blocking the unauthenticated requests that bypass controls and lead to RCE.
Requires identification and authentication of services before granting access to REST API functions, directly mitigating the authentication bypass flaw.
Validates all input to REST endpoints, reducing the ability of specially crafted unauthenticated requests to achieve code execution after any partial bypass.