CVE-2021-42002
📋 TL;DR
This vulnerability allows attackers to bypass security filters and upload malicious files to Zoho ManageEngine ADManager Plus servers, leading to remote code execution. Organizations using ADManager Plus versions before 7115 are affected. Attackers can potentially take full control of affected systems.
💻 Affected Systems
- Zoho ManageEngine ADManager Plus
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary code, steal sensitive Active Directory data, pivot to other network resources, and establish persistent access.
Likely Case
Attackers upload web shells or malware to gain initial access, then escalate privileges to compromise Active Directory environments and deploy ransomware or exfiltrate credentials.
If Mitigated
With proper network segmentation and access controls, impact is limited to the ADManager Plus server itself, though Active Directory integration still poses significant risk.
🎯 Exploit Status
Filter bypass vulnerabilities are typically easy to exploit. ManageEngine products are frequently targeted by threat actors.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7115
Vendor Advisory: https://www.manageengine.com/products/ad-manager/release-notes.html#7115
Restart Required: Yes
Instructions:
1. Download ADManager Plus version 7115 or later from ManageEngine website. 2. Backup current installation and configuration. 3. Run the installer to upgrade. 4. Restart the ADManager Plus service.
🔧 Temporary Workarounds
Network Isolation
allRestrict network access to ADManager Plus server to only necessary administrative IPs
Use firewall rules to block all inbound traffic except from authorized management networks
File Upload Restrictions
allImplement web application firewall rules to block suspicious file upload patterns
WAF rule: deny requests with file uploads containing executable content or suspicious extensions
🧯 If You Can't Patch
- Immediately isolate the ADManager Plus server from the network and restrict access to essential personnel only
- Implement strict monitoring for file upload activities and unusual process execution on the server
🔍 How to Verify
Check if Vulnerable:
Check ADManager Plus version in web interface or installation directory. Versions below 7115 are vulnerable.Check Version:
On Windows: Check 'C:\Program Files\ManageEngine\ADManager Plus\conf\version.txt' or web interface -> Help -> AboutVerify Fix Applied:
Confirm version is 7115 or higher in the web interface and verify no unauthorized files exist in upload directories.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to ADManager Plus
- Execution of unexpected processes from web directories
- Authentication attempts from unusual locations
Network Indicators:
- HTTP POST requests with file uploads to ADManager Plus endpoints
- Outbound connections from ADManager Plus server to unknown IPs
SIEM Query:
source="ADManager Plus" AND (event="File Upload" OR event="Process Execution") AND result="success"