CVE-2021-37761
📋 TL;DR
This vulnerability allows attackers to upload malicious files to Zoho ManageEngine ADManager Plus servers without proper validation, leading to remote code execution. It affects all organizations running ADManager Plus version 7110 and earlier. Attackers can gain complete control of affected systems.
💻 Affected Systems
- Zoho ManageEngine ADManager Plus
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to execute arbitrary code, steal sensitive Active Directory data, deploy ransomware, and pivot to other network resources.
Likely Case
Remote code execution leading to data exfiltration, credential theft, and installation of backdoors or malware.
If Mitigated
Limited impact with proper network segmentation, but still potential for data exposure if exploited.
🎯 Exploit Status
Exploitation is straightforward with publicly available proof-of-concept code. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7111 and later
Vendor Advisory: https://www.manageengine.com/products/ad-manager/release-notes.html#7111
Restart Required: Yes
Instructions:
1. Download ADManager Plus version 7111 or later from ManageEngine website. 2. Stop the ADManager Plus service. 3. Install the update. 4. Restart the service.
🔧 Temporary Workarounds
Network Access Control
allRestrict network access to ADManager Plus to only trusted IP addresses and networks
Web Application Firewall
allDeploy WAF rules to block file upload attempts to vulnerable endpoints
🧯 If You Can't Patch
- Immediately isolate the ADManager Plus server from the internet and restrict internal access
- Implement strict file upload validation and monitoring for suspicious file upload activities
🔍 How to Verify
Check if Vulnerable:
Check the ADManager Plus version in the web interface or installation directory. Versions 7110 and below are vulnerable.Check Version:
Check web interface or look for version.txt in installation directoryVerify Fix Applied:
Verify the version is 7111 or higher after patching and test that file upload functionality properly validates file types.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to ADManager Plus endpoints
- Suspicious POST requests with file upload parameters
- Unexpected process execution from web server context
Network Indicators:
- HTTP POST requests to file upload endpoints with unusual file extensions
- Outbound connections from ADManager Plus server to unknown external IPs
SIEM Query:
source="ADManagerPlus" AND (url="*upload*" OR method="POST") AND (file_extension="jsp" OR file_extension="war" OR file_extension="php")