Vulnerability Details : CVE-2021-40539
Public exploit exists!
Used for ransomware!
Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution.
Vulnerability category: Execute code
Products affected by CVE-2021-40539
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7:5700:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7:5701:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7:5607:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4540:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4543:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4590:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4591:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0:5020:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0:5021:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5101:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5102:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5103:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5110:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5111:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.2:5202:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.2:5203:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5303:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5304:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5311:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5312:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5319:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5320:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5328:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5329:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5504:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5505:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5512:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5513:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5521:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.6:5600:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.6:5607:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7:5702:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4511:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4520:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4570:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4571:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0:5001:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0:5002:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0:5032:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0:5040:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5106:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5107:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5114:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5115:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.2:5206:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.2:5207:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5307:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5308:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5315:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5316:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5323:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4522:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4531:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4572:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4580:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0:5010:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0:5011:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0:5041:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5100:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5108:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5109:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.2:5200:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.2:5201:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5300:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5301:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5302:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5309:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5310:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5317:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5318:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5325:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5326:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5327:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5502:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5503:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5510:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5511:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5519:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5520:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.6:5605:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.6:5606:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5324:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5500:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5501:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5508:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5509:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5516:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5517:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5518:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.6:5603:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.6:5604:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4510:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4544:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4550:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4560:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4592:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0:5000:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0:5022:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0:5030:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5104:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5105:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5112:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5113:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.2:5204:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.2:5205:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5305:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5306:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5313:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5314:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5321:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5322:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5330:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.4:5400:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5506:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5507:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5514:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5515:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.6:5601:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.6:5602:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:-:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7:5707:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7:5705:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7:5704:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7:5706:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7:5703:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7:5708:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7:5709:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7:5710:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5800:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5801:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5802:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5803:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5116:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5804:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5805:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5806:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5807:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5808:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:-:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6000:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6001:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6002:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6003:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6004:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6005:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6006:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6007:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6008:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6009:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6012:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6013:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:-:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5809:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5810:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5811:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5812:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5813:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5814:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5815:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5816:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:-:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6100:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6103:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6101:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6102:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6104:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6105:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6106:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6113:*:*:*:*:*:*
CVE-2021-40539 is in the CISA Known Exploited Vulnerabilities Catalog
This issue is known to have been leveraged as part of a ransomware campaign.
CISA vulnerability name:
Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
Zoho ManageEngine ADSelfService Plus contains an authentication bypass vulnerability affecting the REST API URLs which allow for remote code execution.
Notes:
https://nvd.nist.gov/vuln/detail/CVE-2021-40539
Added on
2021-11-03
Action due date
2021-11-17
Exploit prediction scoring system (EPSS) score for CVE-2021-40539
94.42%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2021-40539
-
ManageEngine ADSelfService Plus CVE-2021-40539
Disclosure Date: 2021-09-07First seen: 2022-12-23exploit/windows/http/manageengine_adselfservice_plus_cve_2021_40539This module exploits CVE-2021-40539, a REST API authentication bypass vulnerability in ManageEngine ADSelfService Plus, to upload a JAR and execute it as the user running ADSelfService Plus - which is SYSTEM if started as a service.
CVSS scores for CVE-2021-40539
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
134c704f-9b21-4f2e-91b3-4a467353bcc0 | 2025-02-03 |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2021-40539
-
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.Assigned by: nvd@nist.gov (Primary)
-
The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-40539
-
https://www.manageengine.com
ManageEngine - IT Operations and Service Management SoftwareVendor Advisory
-
https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html
Fixing the authentication bypass vulnerability affecting REST APIs | ManageEngine ADSelfService PlusPatch;Vendor Advisory
-
http://packetstormsecurity.com/files/165085/ManageEngine-ADSelfService-Plus-Authentication-Bypass-Code-Execution.html
ManageEngine ADSelfService Plus Authentication Bypass / Code Execution ≈ Packet StormExploit;Third Party Advisory;VDB Entry
Jump to