CVE-2021-33055 – CVE-2021-33055 is a critical remote code execut... (How to Fix)

Q: What is the severity of CVE-2021-33055?

CVE-2021-33055 has a CVSS score of 9.8 (CRITICAL). CVE-2021-33055 is a critical remote code execution vulnerability in Zoho ManageEngine ADSelfService Plus that allows unauthenticated attackers to execute arbitrary code on affected systems. This affects non-English editions of the software, potentially compromising Active Directory environments. Organizations using vulnerable versions of ADSelfService Plus are at immediate risk.

📋 TL;DR

CVE-2021-33055 is a critical remote code execution vulnerability in Zoho ManageEngine ADSelfService Plus that allows unauthenticated attackers to execute arbitrary code on affected systems. This affects non-English editions of the software, potentially compromising Active Directory environments. Organizations using vulnerable versions of ADSelfService Plus are at immediate risk.

💻 Affected Systems

Products:

Zoho ManageEngine ADSelfService Plus

Versions: All versions through 6102

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects non-English editions of the software. English editions are not vulnerable to this specific exploit.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the ADSelfService Plus server leading to domain admin privileges, lateral movement across the network, data exfiltration, ransomware deployment, and full Active Directory takeover.

🟠

Likely Case

Attackers gain initial foothold on the server, install backdoors, steal credentials, and use the compromised system as a pivot point for further attacks within the network.

🟢

If Mitigated

If properly segmented and monitored, impact limited to the ADSelfService Plus server with potential credential exposure but contained lateral movement.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable without authentication, making internet-facing instances extremely vulnerable to widespread attacks.

🏢 Internal Only: HIGH - Even internally accessible instances are vulnerable to attackers who gain network access through phishing, compromised endpoints, or other means.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Multiple public exploits available. Actively exploited in the wild. Attack requires no authentication and minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6104 and later

Vendor Advisory: https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6104-released

Restart Required: Yes

Instructions:

1. Download ADSelfService Plus 6104 or later from official Zoho website. 2. Backup current installation and configuration. 3. Stop ADSelfService Plus service. 4. Install the updated version. 5. Restart the service. 6. Verify functionality.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to ADSelfService Plus to only necessary internal networks

Disable Non-English Editions

all

Switch to English edition if possible as vulnerability only affects non-English versions

🧯 If You Can't Patch

Immediately take ADSelfService Plus offline until patched
Implement strict network segmentation and firewall rules to limit access to the vulnerable system

🔍 How to Verify

Check if Vulnerable:

Check ADSelfService Plus version in web interface or installation directory. Versions 6102 and earlier are vulnerable if using non-English edition.

Check Version:

Check web interface at https://[server]:[port]/ or examine installation directory version files

Verify Fix Applied:

Verify version is 6104 or later in web interface or via 'About' section. Test that the specific exploit path no longer works.

📡 Detection & Monitoring

Log Indicators:

Unusual process creation from ADSelfService Plus service
Suspicious PowerShell or command execution
Failed authentication attempts followed by successful exploitation

Network Indicators:

Unusual outbound connections from ADSelfService Plus server
Exploit-specific HTTP requests to vulnerable endpoints
Traffic to known malicious IPs

SIEM Query:

source="ADSelfServicePlus" AND (process_name="powershell.exe" OR process_name="cmd.exe") AND parent_process="java.exe"

📊 Metadata

CVE ID: CVE-2021-33055

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: August 30, 2021

Last Updated: November 21, 2024

🔗 References

https://blog.stmcyber.com/vulns/cve-2021-33055/ Release Notes,Third Party Advisory
https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6104-released Patch,Third Party Advisory
https://blog.stmcyber.com/vulns/cve-2021-33055/ Release Notes,Third Party Advisory
https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6104-released Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-33055, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Network Segmentation

Disable Non-English Editions

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities