Login Sign Up

CVE-2021-37929

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability in Zoho ManageEngine ADManager Plus allows attackers to upload arbitrary files without restrictions, leading to remote code execution. It affects all versions up to and including 7110. Organizations using vulnerable versions are at risk of complete system compromise.

💻 Affected Systems

Products:
  • Zoho ManageEngine ADManager Plus
Versions: All versions up to and including 7110
Operating Systems: Windows, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: All deployments of affected versions are vulnerable regardless of configuration.

📦 What is this software?

Manageengine Admanager Plus by Zohocorp

View all CVEs affecting Manageengine Admanager Plus →

Manageengine Admanager Plus by Zohocorp

View all CVEs affecting Manageengine Admanager Plus →

Manageengine Admanager Plus by Zohocorp

View all CVEs affecting Manageengine Admanager Plus →

Manageengine Admanager Plus by Zohocorp

View all CVEs affecting Manageengine Admanager Plus →

Manageengine Admanager Plus by Zohocorp

View all CVEs affecting Manageengine Admanager Plus →

Manageengine Admanager Plus by Zohocorp

View all CVEs affecting Manageengine Admanager Plus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with administrative privileges, data exfiltration, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to service disruption, credential theft, and deployment of ransomware or other malware.

🟢

If Mitigated

Limited impact if proper network segmentation, file upload validation, and least privilege principles are implemented.

🌐 Internet-Facing: HIGH - Directly exploitable from the internet without authentication.
🏢 Internal Only: HIGH - Even internally, this provides a foothold for lateral movement.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation is straightforward with publicly available proof-of-concept code.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7111 and later

Vendor Advisory: https://www.manageengine.com/products/ad-manager/release-notes.html#7111

Restart Required: Yes

Instructions:

1. Download ADManager Plus version 7111 or later from ManageEngine website. 2. Stop the ADManager Plus service. 3. Install the update. 4. Restart the service.

🔧 Temporary Workarounds

Restrict File Upload Types

all

Configure web application firewall or server to block uploads of executable file types.

Network Segmentation

all

Isolate ADManager Plus server from critical network segments and internet.

🧯 If You Can't Patch

  • Implement strict network access controls to limit exposure
  • Deploy web application firewall with file upload filtering rules

🔍 How to Verify

Check if Vulnerable:

Check ADManager Plus version in web interface or installation directory. Versions 7110 and below are vulnerable.

Check Version:

Check web interface or %PROGRAMFILES%\ManageEngine\ADManager Plus\conf\version.txt on Windows

Verify Fix Applied:

Verify version is 7111 or higher after patching and test file upload functionality.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file uploads to ADManager Plus
  • Execution of unexpected processes
  • Web server error logs showing file upload attempts

Network Indicators:

  • HTTP POST requests with file uploads to ADManager Plus endpoints
  • Outbound connections from ADManager Plus server to unknown destinations

SIEM Query:

source="ADManager Plus" AND (event="FileUpload" OR event="ProcessCreation")

📊 Metadata

CVE ID: CVE-2021-37929
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434
Published: October 7, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-37929, you might also want to check these:

CVE-2024-52490 10.0

This vulnerability allows attackers to upload arbitrary files, including web shells, to Pathomation ...

Same vulnerability type (CWE-434)
CVE-2024-43160 10.0

CVE-2024-43160 is an unauthenticated arbitrary file upload vulnerability in the BerqWP WordPress plu...

Same vulnerability type (CWE-434)
CVE-2024-8940 10.0

CVE-2024-8940 is a critical unrestricted file upload vulnerability in Scriptcase version 9.4.019 tha...

Same vulnerability type (CWE-434)