Login Sign Up

CVE-2021-37931

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows attackers to upload arbitrary files to Zoho ManageEngine ADManager Plus servers, which can lead to remote code execution. It affects ADManager Plus version 7110 and earlier. Attackers can potentially gain full control of affected systems.

💻 Affected Systems

Products:
  • Zoho ManageEngine ADManager Plus
Versions: 7110 and prior
Operating Systems: Windows, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations of affected versions are vulnerable.

📦 What is this software?

Manageengine Admanager Plus by Zohocorp

View all CVEs affecting Manageengine Admanager Plus →

Manageengine Admanager Plus by Zohocorp

View all CVEs affecting Manageengine Admanager Plus →

Manageengine Admanager Plus by Zohocorp

View all CVEs affecting Manageengine Admanager Plus →

Manageengine Admanager Plus by Zohocorp

View all CVEs affecting Manageengine Admanager Plus →

Manageengine Admanager Plus by Zohocorp

View all CVEs affecting Manageengine Admanager Plus →

Manageengine Admanager Plus by Zohocorp

View all CVEs affecting Manageengine Admanager Plus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with administrative privileges, data exfiltration, lateral movement within the network, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to web shell deployment, credential theft, and further network reconnaissance.

🟢

If Mitigated

Limited impact with proper network segmentation, file upload restrictions, and monitoring in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires no authentication and has been observed in the wild.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7111

Vendor Advisory: https://www.manageengine.com/products/ad-manager/release-notes.html#7111

Restart Required: Yes

Instructions:

1. Download ADManager Plus version 7111 or later from ManageEngine website. 2. Backup current installation. 3. Run the installer to upgrade. 4. Restart the ADManager Plus service.

🔧 Temporary Workarounds

Restrict File Uploads

all

Configure web server to block file uploads to vulnerable endpoints

Network Segmentation

all

Isolate ADManager Plus server from internet and restrict internal access

🧯 If You Can't Patch

  • Implement strict network access controls to limit exposure
  • Deploy web application firewall with file upload restrictions

🔍 How to Verify

Check if Vulnerable:

Check ADManager Plus version in web interface or installation directory

Check Version:

Check Help > About in web interface or examine buildinfo.txt in installation directory

Verify Fix Applied:

Confirm version is 7111 or later and test file upload functionality

📡 Detection & Monitoring

Log Indicators:

  • Unusual file uploads to ADManager Plus endpoints
  • Web shell creation in web directories
  • Suspicious process execution from web server context

Network Indicators:

  • HTTP POST requests to file upload endpoints with executable content
  • Outbound connections from ADManager Plus server to unknown IPs

SIEM Query:

source="ADManagerPlus" AND (url="*upload*" OR url="*file*" OR process="cmd.exe" OR process="powershell.exe")

📊 Metadata

CVE ID: CVE-2021-37931
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434
Published: October 7, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-37931, you might also want to check these:

CVE-2024-52490 10.0

This vulnerability allows attackers to upload arbitrary files, including web shells, to Pathomation ...

Same vulnerability type (CWE-434)
CVE-2024-43160 10.0

CVE-2024-43160 is an unauthenticated arbitrary file upload vulnerability in the BerqWP WordPress plu...

Same vulnerability type (CWE-434)
CVE-2024-8940 10.0

CVE-2024-8940 is a critical unrestricted file upload vulnerability in Scriptcase version 9.4.019 tha...

Same vulnerability type (CWE-434)