CVE-2026-2740
Published: 21 May 2026
Summary
CVE-2026-2740 is a high-severity Command Injection (CWE-77) vulnerability. Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 25.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Zohocorp ManageEngine ADSelfService Plus versions before 6525, DataSecurity Plus versions before 6264, and RecoveryManager Plus versions before 6313 contain an authenticated remote code execution vulnerability in agent machines that stems from a flaw in a third-party dependency. The issue is tracked as CVE-2026-2740 with a CVSS 3.1 score of 8.4 and is associated with CWE-77 command injection.
An attacker with low-privileged authenticated access can exploit the flaw over the network, though successful exploitation requires high attack complexity and results in high impact to confidentiality and integrity plus limited availability impact with scope change to other components on the affected systems.
The vendor advisory at https://www.manageengine.com/products/self-service-password/advisory/CVE-2026-2740.html addresses the affected products and provides guidance on remediation through version upgrades.
EPSS for the CVE remains flat at a peak and current value of 0.0139 with no material increase observed after disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-31283
Vulnerability details
Zohocorp ManageEngine ADSelfService Plus version before 6525, DataSecurity Plus before 6264 and RecoveryManager Plus before 6313 are vulnerable to Authenticated Remote code execution in the agent machines due to the bug in the 3rd party dependency.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authenticated command injection (CWE-77) in ManageEngine products directly enables remote exploitation of a public-facing application and arbitrary command execution via T1059 interpreters.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely remediation of the known vulnerable versions of ADSelfService Plus, DataSecurity Plus and RecoveryManager Plus that contain the third-party command-injection flaw.
Mandates validation of all inputs to the agent components, blocking the CWE-77 command injection that enables the authenticated RCE.
Enforces least privilege on authenticated accounts so that even valid low-privileged users have minimal rights to reach or trigger the vulnerable agent code paths.