CVE-2021-40539

CVE-2021-40539 is a critical-severity vulnerability in Zohocorp Manageengine Adselfservice Plus with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-706.

Key facts

Description

Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution.

CVE-2021-40539: Zoho ManageEngine ADSelfService Plus Authentication Bypass Leading to RCE

AI-generated analysis based on the vulnerability data on this page.

CVE CVE-2021-40539
Product Zoho ManageEngine ADSelfService Plus
CVSS v3 9.8 (Critical)
EPSS 0.9896 (99.92nd percentile)
CWE CWE-706: Use of Incorrectly-Resolved Name or Reference
KEV Yes (added 2021-11-03)
Published 2021-09-07

Summary

Zoho ManageEngine ADSelfService Plus versions 6113 and prior contain a REST API authentication bypass that allows unauthenticated remote attackers to achieve remote code execution.

Background

ADSelfService Plus is an enterprise self-service password management and single sign-on solution that exposes administrative functionality through a REST API. The product is widely deployed in Active Directory environments to enable users to reset passwords and unlock accounts without help-desk intervention.

Root Cause (CWE-706)

The vulnerability is categorized under CWE-706: Use of Incorrectly-Resolved Name or Reference per NVD data. In the REST API implementation, the authentication layer fails to correctly resolve or validate the identity and authentication state of incoming requests before dispatching them to sensitive endpoints. This flaw allows an attacker to access API paths that should require an authenticated administrative session, effectively bypassing the access-control boundary.

Impact

This vulnerability scores CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H for a base score of 9.8 (Critical). The impact dimensions are all HIGH:

  • Confidentiality: Attackers can read sensitive configuration data and credentials.
  • Integrity: Attackers can modify policies, user accounts, or system settings.
  • Availability: Attackers can crash the application or the underlying host.

With a network attack vector, low complexity, no privileges required, and no user interaction, the vulnerability is trivially exploitable at scale.

Exploitation Walkthrough (Defensive Perspective)

Ethics caveat: This section describes the attack chain from a defender's viewpoint to aid detection and mitigation; it does not provide weaponized exploit code or step-by-step attacker instructions.

An attacker sends HTTP requests to REST API endpoints that do not properly enforce authentication. Because the API resolves the request as unauthenticated or fails to validate session tokens, the attacker gains unauthorized access to administrative or system-level functions. With access to these internal functions, the attacker can then trigger operations that execute arbitrary commands on the server operating system. From a defensive standpoint, this manifests as:

  • Unauthenticated POST/GET requests to /rest/* or similar API paths from unexpected source IPs.
  • Subsequent process spawning or file-write activity on the ADSelfService Plus server.
  • Unexpected outbound connections or credential-dumping behavior.

Affected and Patched Versions

  • Affected: Zoho ManageEngine ADSelfService Plus version 6113 and prior (including builds 6100, 6101, 6102, 6103, 6104, 6105, 6106, and earlier 6.1 builds).
  • Patched: Upgrade to the latest version provided by the vendor. Zoho has published a dedicated KB article with remediation steps (see References).

Remediation

  1. Upgrade immediately: Apply the latest security patch from Zoho ManageEngine. The vendor has released a dedicated fix for this authentication bypass.
  2. Restrict network access: Until patching is complete, restrict access to the ADSelfService Plus administrative interface to trusted internal IP ranges only. Do not expose the management port to the internet.
  3. Compensating controls: Deploy a Web Application Firewall (WAF) rule set that blocks anomalous REST API requests without valid session headers. Implement strict IP allowlisting for the management portal.
  4. Monitor vendor advisories: Follow Zoho's security KB for any additional patches or configuration changes.

Detection

  • Monitor REST API access logs for requests to administrative endpoints that lack valid session tokens or authentication headers.
  • Alert on repeated HTTP requests to /rest/* endpoints from external or unexpected internal IP addresses.
  • Correlate endpoint activity with the CISA Known Exploited Vulnerabilities (KEV) catalog; this CVE has been actively exploited since November 2021.
  • Hunt for post-exploitation indicators such as unexpected PowerShell/cmd execution, new local administrator accounts, or lateral-movement activity originating from the ADSelfService Plus server.

Assessment

With an EPSS score of 0.9896 (99.92nd percentile) and inclusion in the CISA KEV catalog since 2021-11-03, this vulnerability is a near-certain exploitation target. It has been linked to ransomware campaigns and is actively exploited in the wild. The combination of authentication bypass and remote code execution on a widely deployed identity-management product makes this a Tier-0 patching priority. CISA and the EU vulnerability database (EUVD-2021-27714) both flag this as actively exploited.

Key lessons:

  1. REST APIs must enforce authentication and authorization on every endpoint; never assume that an internal path is "unreachable."
  2. KEV-catalogued vulnerabilities with Critical CVSS scores should be remediated within the shortest possible SLA, ideally within 24 hours for internet-facing systems.

References

Frequently asked questions

What is CVE-2021-40539?
Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution.
How severe is CVE-2021-40539?
CVE-2021-40539 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2021-40539 being actively exploited?
Yes. CVE-2021-40539 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2021-40539?
CVE-2021-40539 primarily affects Zohocorp Manageengine Adselfservice Plus. In total, 10 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2021-40539?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2021-40539 have an EU (EUVD) identifier?
Yes. CVE-2021-40539 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-27714. It is also flagged as exploited in the EUVD (since 2021-11-03).
When was CVE-2021-40539 published?
CVE-2021-40539 was published on 2021-09-07 and last updated on 2026-06-17.

References

Affected products (10)

More vulnerabilities in Zohocorp Manageengine Adselfservice Plus

All CVEs affecting Zohocorp Manageengine Adselfservice Plus →

Other CWE-706 vulnerabilities

Browse all CWE-706 vulnerabilities →