Cyber Resilience

CVE-2026-2740

HighRCE

Published: 21 May 2026

Published
21 May 2026
Modified
21 May 2026
KEV Added
Patch
CVSS Score v3.1 8.4 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L
EPSS Score 0.0170 74.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-2740 is a high-severity Command Injection (CWE-77) vulnerability. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 25.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Zohocorp ManageEngine ADSelfService Plus versions before 6525, DataSecurity Plus versions before 6264, and RecoveryManager Plus versions before 6313 contain an authenticated remote code execution vulnerability in agent machines that stems from a flaw in a third-party dependency. The issue is tracked as CVE-2026-2740 with a CVSS 3.1 score of 8.4 and is associated with CWE-77 command injection.

An attacker with low-privileged authenticated access can exploit the flaw over the network, though successful exploitation requires high attack complexity and results in high impact to confidentiality and integrity plus limited availability impact with scope change to other components on the affected systems.

The vendor advisory at https://www.manageengine.com/products/self-service-password/advisory/CVE-2026-2740.html addresses the affected products and provides guidance on remediation through version upgrades.

EPSS for the CVE remains flat at a peak and current value of 0.0139 with no material increase observed after disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Zohocorp ManageEngine ADSelfService Plus version before 6525, DataSecurity Plus before 6264 and RecoveryManager Plus before 6313 are vulnerable to Authenticated Remote code execution in the agent machines due to the bug in the 3rd party dependency.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Authenticated command injection (CWE-77) in ManageEngine products directly enables remote exploitation of a public-facing application and arbitrary command execution via T1059 interpreters.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-44869Shared CWE-77
CVE-2026-44866Shared CWE-77
CVE-2025-57685Shared CWE-77
CVE-2025-60021Shared CWE-77
CVE-2026-2333Shared CWE-77
CVE-2025-67728Shared CWE-77
CVE-2025-24818Shared CWE-77
CVE-2024-54794Shared CWE-77
CVE-2025-60801Shared CWE-77
CVE-2025-55294Shared CWE-77

Affected Assets

Zohocorp ManageEngine ADSelfService Plus
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely remediation of the known vulnerable versions of ADSelfService Plus, DataSecurity Plus and RecoveryManager Plus that contain the third-party command-injection flaw.

prevent

Mandates validation of all inputs to the agent components, blocking the CWE-77 command injection that enables the authenticated RCE.

prevent

Enforces least privilege on authenticated accounts so that even valid low-privileged users have minimal rights to reach or trigger the vulnerable agent code paths.

References