Zoho ManageEngine CVE-2021-40539 Vulnerability Actively Exploited in the Wild

CISA recently released an advisory about the active exploitation of a newly identified vulnerability, CVE-2021-40539, in ManageEngine ADSelfService Plus
Updated on
April 19, 2023
Published on
September 23, 2021
Subscribe to the latest industry news, threats and resources.
Category Vulnerability Intelligence
Vulnerability Class Remote Code Execution
CVE ID CVE-2021-40539
CVSS:3.0 Score 9.8
Reference *https://en.wikipedia.org/wiki/Intelligence_source_and_information_reliability #https://en.wikipedia.org/wiki/Traffic_Light_Protocol

Executive Summary

  • CISA recently released an advisory about the active exploitation of a newly identified vulnerability, CVE-2021-40539, in ManageEngine ADSelfService Plus.
  • ManageEngine ADSelfService Plus is an integrated self-service password management and single sign-on solution for Active Directory and cloud apps. Versions up to 6113 are affected by this vulnerability.
  • Zoho released the patch for ManageEngine ADSelfService Plus build 6114 on 6 September 2021, which fixes this vulnerability.
  • Threat actors could exploit this vulnerability to compromise the internal network, thereby causing remote code execution and/ or exfiltration of sensitive information.


ManageEngine ADSelfService Plus is a secure, web-based, end-user password reset management software. The security issue identified as CVE-2021-40539 is considered critical as it allows a remote, unauthenticated attacker to execute arbitrary malicious code on a vulnerable system.   This is an authentication bypass vulnerability which affects the REST API URLs that, in turn, could result in remote code execution (RCE). Based on the patch released by Zoho, this vulnerability was caused due to a path normalization bug.   Normalizing a path is the process where the coder modifies the string which identifies a path or file so that it conforms to a valid path on the target operating system.   [caption id="attachment_17943" align="aligncenter" width="579"]Code snippet used for path normalization Code snippet used for path normalization[/caption]  
Identifying if your installation is affected
  ManageEngine has developed a special tool to determine if an ADSelfService Plus installation is vulnerable to the above-mentioned authentication bypass flaw.
  1. Download this ZIP file and extract its content to \ManageEngine\ADSelfService Plus\bin folder.
  2. Right-click on the RCEScan.bat file and run as administrator.
  3. A command prompt window will open. If your installation is affected, you will get the following message:
"Result: Your ADSelfService Plus installation is affected by authentication bypass vulnerability."   [caption id="attachment_17944" align="aligncenter" width="593"]Screenshot of the message displayed on a vulnerable installation Screenshot of the message displayed on a vulnerable installation[/caption]  
Steps to follow if your installation is compromised
  After confirming that your installation is affected by the vulnerability, follow the steps below to rectify it:
  • Firstly, disconnect the machine containing ADSelfService Plus, from your network.
  • Create a backup of the ADSelfService Plus database through these steps.
  • Once all the business-critical data has been successfully backed up, format the compromised machine.
  • Now, again download* and install ManageEngine ADSelfService Plus.
  • After completing the installation, restore the backup and start the server.
  • Once the server is up and running, use the service pack to upgrade the installation to the latest build, which is 6114.
  • Examine accounts for unauthorized access or use. Also, look for signs of lateral movement from the faulty equipment to other machines. If there are any indications suggesting the Active Directory accounts have been compromised, reset their passwords.
  • Make sure you're downloading the EXE of the same build as the one you saved the backup for in step 2.
  • Instead of using the impacted machine for this new installation, it is strongly advised to use a different machine.

Impact & Mitigation

Impact Mitigation
  • Remote code execution allows the attackers to take control of the target system.
  • Initial access to a corporate endpoint may potentially enable lateral movements in the internal network.
  • Nation-state actors leverage client-side zero-day vulnerabilities to compromise information, while ransomware groups use these vulnerabilities to extort money by encrypting user data.
  • Update ADSelfService Plus to the latest build, 6114 - http://csek.me/Ct0I
  • Ensure that ADSelfService Plus is not directly accessible from the internet.


Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations