CVE-2021-37923
📋 TL;DR
CVE-2021-37923 is a critical vulnerability in Zoho ManageEngine ADManager Plus that allows attackers to upload arbitrary files without restrictions, leading to remote code execution. This affects all organizations running ADManager Plus version 7110 and earlier. Attackers can gain complete control over affected systems.
💻 Affected Systems
- Zoho ManageEngine ADManager Plus
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with administrative privileges, data exfiltration, lateral movement across the network, and persistent backdoor installation.
Likely Case
Remote code execution leading to system takeover, credential theft, and deployment of ransomware or other malware.
If Mitigated
Limited impact with proper network segmentation, but still significant risk to the ADManager Plus server itself.
🎯 Exploit Status
This vulnerability has been actively exploited in the wild. The exploit requires no authentication and is straightforward to execute.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7111 and later
Vendor Advisory: https://www.manageengine.com/products/ad-manager/release-notes.html#7111
Restart Required: Yes
Instructions:
1. Download ADManager Plus version 7111 or later from the ManageEngine website. 2. Stop the ADManager Plus service. 3. Install the update. 4. Restart the service.
🔧 Temporary Workarounds
Network Access Control
allRestrict network access to ADManager Plus to only trusted IP addresses and networks.
Web Application Firewall
allDeploy a WAF with rules to block file upload attempts to vulnerable endpoints.
🧯 If You Can't Patch
- Immediately isolate the ADManager Plus server from the internet and restrict internal network access.
- Implement strict file upload validation and monitoring on the server.
🔍 How to Verify
Check if Vulnerable:
Check the ADManager Plus version in the web interface under Help > About. If version is 7110 or earlier, the system is vulnerable.Check Version:
Not applicable - version check is done via web interface. On Windows, check installation directory for version files.Verify Fix Applied:
After patching, verify the version shows 7111 or later in Help > About. Test file upload functionality to ensure restrictions are in place.📡 Detection & Monitoring
Log Indicators:
- Unusual file upload activity in ADManager Plus logs
- Unexpected process execution from web server directories
- Web shell file creation in upload directories
Network Indicators:
- HTTP POST requests to file upload endpoints with suspicious file extensions
- Outbound connections from ADManager Plus server to unknown external IPs
SIEM Query:
source="ADManagerPlus" AND (event="FileUpload" OR event="FileCreation") AND file_extension IN ("jsp", "php", "asp", "aspx", "war", "jar")