CVE-2021-37921 – CVE-2021-37921 is a critical vulnerability in Z... (How to Fix)

Q: What is the severity of CVE-2021-37921?

CVE-2021-37921 has a CVSS score of 9.8 (CRITICAL). CVE-2021-37921 is a critical vulnerability in Zoho ManageEngine ADManager Plus that allows attackers to upload arbitrary files without restrictions, leading to remote code execution. This affects all organizations using ADManager Plus version 7110 and earlier for Active Directory management. Attackers can gain complete control of affected systems.

📋 TL;DR

CVE-2021-37921 is a critical vulnerability in Zoho ManageEngine ADManager Plus that allows attackers to upload arbitrary files without restrictions, leading to remote code execution. This affects all organizations using ADManager Plus version 7110 and earlier for Active Directory management. Attackers can gain complete control of affected systems.

💻 Affected Systems

Products:

Zoho ManageEngine ADManager Plus

Versions: Version 7110 and prior

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of affected versions are vulnerable. No special configuration required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attackers to execute arbitrary code, steal credentials, pivot to other systems, and deploy ransomware or other malware across the network.

🟠

Likely Case

Remote code execution leading to data exfiltration, installation of backdoors, and lateral movement within the network.

🟢

If Mitigated

Limited impact if proper network segmentation, file upload restrictions, and monitoring are in place, though the vulnerability remains exploitable.

🌐 Internet-Facing: HIGH - Internet-facing instances are directly accessible to attackers without requiring internal network access.

🏢 Internal Only: HIGH - Even internally accessible instances are vulnerable to attackers who gain initial foothold through phishing or other means.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward with publicly available proof-of-concept code. Attackers can exploit without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 7111 and later

Vendor Advisory: https://www.manageengine.com/products/ad-manager/release-notes.html#7111

Restart Required: Yes

Instructions:

1. Download ADManager Plus version 7111 or later from ManageEngine website. 2. Backup current installation. 3. Stop ADManager Plus service. 4. Install the new version. 5. Restart the service.

🔧 Temporary Workarounds

Restrict File Uploads

all

Implement strict file upload validation and restrictions at the web application firewall or application level.

Network Segmentation

all

Isolate ADManager Plus instances from critical network segments and restrict inbound access.

🧯 If You Can't Patch

Immediately remove internet-facing access and restrict to internal network only with strict firewall rules.
Implement application-level file upload validation and monitoring for suspicious file upload attempts.

🔍 How to Verify

Check if Vulnerable:

Check ADManager Plus version in web interface or installation directory. Versions 7110 and earlier are vulnerable.

Check Version:

Check web interface or look for version.txt in installation directory.

Verify Fix Applied:

Verify version is 7111 or later and test file upload functionality with malicious files to ensure they are rejected.

📡 Detection & Monitoring

Log Indicators:

Unusual file upload attempts
Execution of unexpected processes
Web server error logs showing file upload validation failures

Network Indicators:

HTTP POST requests with file uploads to ADManager Plus endpoints
Outbound connections from ADManager Plus server to unknown IPs

SIEM Query:

source="admanager-plus" AND (event="file_upload" OR event="process_execution")

📊 Metadata

CVE ID: CVE-2021-37921

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: October 7, 2021

Last Updated: November 21, 2024

🔗 References

https://www.manageengine.com Product
https://www.manageengine.com/products/ad-manager/release-notes.html#7111 Release Notes,Vendor Advisory
https://www.manageengine.com Product
https://www.manageengine.com/products/ad-manager/release-notes.html#7111 Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-37921, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Manageengine Admanager Plus by Zohocorp

Manageengine Admanager Plus by Zohocorp

Manageengine Admanager Plus by Zohocorp

Manageengine Admanager Plus by Zohocorp

Manageengine Admanager Plus by Zohocorp

Manageengine Admanager Plus by Zohocorp

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict File Uploads

Network Segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities