CVE-2021-40539 – This vulnerability allows attackers to bypass a... (How to Fix)

Q: What is the severity of CVE-2021-40539?

CVE-2021-40539 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers to bypass authentication in Zoho ManageEngine ADSelfService Plus REST API, leading to remote code execution. It affects organizations using ADSelfService Plus version 6113 and prior for self-service password management and single sign-on.

📋 TL;DR

This vulnerability allows attackers to bypass authentication in Zoho ManageEngine ADSelfService Plus REST API, leading to remote code execution. It affects organizations using ADSelfService Plus version 6113 and prior for self-service password management and single sign-on.

💻 Affected Systems

Products:

Zoho ManageEngine ADSelfService Plus

Versions: Version 6113 and all prior versions

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations are vulnerable. No special configuration required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with domain admin privileges, data exfiltration, ransomware deployment, and lateral movement across the network.

🟠

Likely Case

Unauthenticated attackers gain administrative access to ADSelfService Plus, execute arbitrary commands, and potentially compromise Active Directory credentials.

🟢

If Mitigated

Attackers are blocked at network perimeter, unable to reach vulnerable systems, with minimal impact due to segmentation and monitoring.

🌐 Internet-Facing: HIGH - Directly exploitable without authentication, making internet-facing instances immediate targets.

🏢 Internal Only: HIGH - Even internally, attackers can exploit this from any network segment with access to the service.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code available, trivial to execute with automated tools. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 6114 and later

Vendor Advisory: https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html

Restart Required: Yes

Instructions:

1. Download latest version from ManageEngine website. 2. Stop ADSelfService Plus service. 3. Install update. 4. Restart service.

🔧 Temporary Workarounds

Network Segmentation

all

Block external access to ADSelfService Plus ports (typically 8888, 8443)

Web Application Firewall Rules

all

Block requests to vulnerable REST API endpoints

🧯 If You Can't Patch

Immediately isolate affected systems from internet and restrict internal network access
Implement strict network monitoring for exploitation attempts and unusual REST API activity

🔍 How to Verify

Check if Vulnerable:

Check version number in ADSelfService Plus admin console or installation directory. Versions ≤6113 are vulnerable.

Check Version:

Check Help → About in admin interface or examine build.txt in installation directory

Verify Fix Applied:

Confirm version is 6114 or higher and test authentication requirements for REST API endpoints.

📡 Detection & Monitoring

Log Indicators:

Unauthenticated REST API requests to /RestAPI/LogonCustomization
Unusual process creation from ADSelfService Plus service

Network Indicators:

HTTP requests to /RestAPI/* endpoints without authentication headers
Unusual outbound connections from ADSelfService Plus server

SIEM Query:

source="ADSelfService Plus" AND (uri="/RestAPI/*" AND NOT auth_token=*) OR process="cmd.exe" OR process="powershell.exe"

📊 Metadata

CVE ID: CVE-2021-40539

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-706

Published: September 7, 2021

Last Updated: November 5, 2025

🔗 References

http://packetstormsecurity.com/files/165085/ManageEngine-ADSelfService-Plus-Authentication-Bypass-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
https://www.manageengine.com Product
https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html Patch,Vendor Advisory
http://packetstormsecurity.com/files/165085/ManageEngine-ADSelfService-Plus-Authentication-Bypass-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
https://www.manageengine.com Product
https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html Patch,Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-40539 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-40539, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Network Segmentation

Web Application Firewall Rules

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities