Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
CriticalCISA KEVExploited in the wildPublic exploit

Authentication Bypass and RCE in Zoho ManageEngine ADSelfService Plus

IdentifiersCVE-2021-40539CWE-288

CVE-2021-40539 is a critical authentication bypass vulnerability in Zoho ManageEngine ADSelfService Plus affecting builds up to 6113. The flaw affects certain REST API URLs. According to vendor and government reporting, ADSelfService Plus used a security filter to authenticate REST API requests, but an error in URL normalization before validation allowed specially crafted paths such as '/../RestAPI' or '/./RestAPI' to bypass that filter. This let unauthenticated attackers reach protected REST API endpoints and leverage them for follow-on arbitrary command execution, resulting in remote code execution. Public reporting and incident-response guidance also indicate exploitation commonly involved uploading a JSP webshell, including a .zip masquerading as an x509 certificate named service.cer, with webshell access observed at paths such as /help/admin-guide/Reports/ReportGenerate.jsp.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation permits unauthenticated remote compromise of the ADSelfService Plus server. Reported post-exploitation outcomes include arbitrary code execution, malware installation, JSP webshell deployment and persistence, credential dumping, theft of NTDS.dit and registry hives, compromise of administrator credentials, lateral movement via WMI and other native tooling, data exfiltration, and full control of the affected host. Where the server is integrated into Active Directory workflows, compromise can materially increase the risk of broader domain compromise.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, remove ADSelfService Plus from direct internet exposure and restrict access to trusted management networks only. Monitor and block suspicious requests to REST API paths, especially normalization-bypass patterns like '/../RestAPI' and '/./RestAPI'. Hunt for known webshell and file-path indicators published by ManageEngine, CISA, FBI, and partners. Enable and centralize detailed logging, review serverOut and application logs for related exceptions and tracebacks, and inspect for persistence mechanisms and use of native admin tools. Segment the host from sensitive internal systems, enforce MFA for administrative access where possible, and treat any confirmed exploitation as a likely broader intrusion requiring full incident response.

Remediation

Patch, then assume compromise.

Upgrade Zoho ManageEngine ADSelfService Plus to build 6114 or later; the vendor released the fix on 2021-09-07 (some agency reporting references 2021-09-06). For potentially compromised systems, follow vendor IR guidance: isolate affected hosts, back up necessary data, rebuild or reinstall the product on clean systems, restore from trusted backups, then update to build 6114 or later. Review logs for exploitation artifacts including '/../RestAPI' and '/./RestAPI', inspect for suspicious files such as service.cer, ReportGenerate.jsp, adap.jsp, custom.bat, custom.txt, and other published IOCs, and investigate for unauthorized access, compromised AD accounts, credential theft, and lateral movement. If domain data such as NTDS.dit or registry hives were accessed, perform domain-wide credential hygiene and broader compromise response accordingly.
PUBLIC EXPLOITS

Exploits

2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).

VALID 2 / 3 TOTALView more in app
CVE-2021-40539MaturityPoCVerified exploit

This repository contains a Python exploit script (exploit.py) targeting CVE-2021-40539, a critical authentication bypass and RCE vulnerability in ManageEngine ADSelfService Plus. The exploit works by uploading a JSP webshell and/or a malicious Java class to the vulnerable server via the '/./RestAPI/LogonCustomization' endpoint, then triggering remote code execution through the '/./RestAPI/Connection' endpoint. The script can optionally verify if the target is vulnerable before exploitation. If successful, the attacker gains a webshell at '/help/admin-guide/test.jsp', allowing arbitrary command execution. The repository is structured with a single exploit script and a README referencing external exploitation details. The exploit is operational, providing a working payload and automated exploitation steps.

synacktivDisclosed Nov 3, 2021pythonnetwork
CVE-2021-40539MaturityPoCVerified exploit

This repository contains a Python exploit script (CVE-2021-40539.py) targeting Zoho ManageEngine ADSelfService Plus (version 6113 and earlier) for CVE-2021-40539, a critical authentication bypass and remote code execution vulnerability. The script allows both single-target and batch exploitation. It first checks if the target is vulnerable by sending a crafted POST request to the '/./RestAPI/LogonCustomization' endpoint. If vulnerable, it uploads a JSP webshell and a Java class file (either user-supplied or a default payload) to the same endpoint. The exploit then triggers RCE by sending a POST request to '/./RestAPI/Connection', leveraging the uploaded Java class. Finally, it verifies the webshell at '/help/admin-guide/test.jsp', which can be used to execute arbitrary commands on the target system. The repository also includes a README.md with usage instructions and background on the vulnerability. The exploit is operational, providing a working RCE chain with persistent access via the webshell.

lpyydxsDisclosed Oct 12, 2024pythonnetwork
EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
ZohocorpManageengine Adselfservice Plusapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

14 SOURCESView more in app
twingate blogNews
May 22, 2026
What happened in the Red Cross data breach? | Twingate

An unpatched critical vulnerability in an authentication module that was exploited to gain access to servers hosting sensitive personal data in the ICRC/Red Cross breach.

Read more
cyfirma newsNews
Feb 20, 2026
Weekly Intelligence Report - 20 February 2026 - CYFIRMA

A vulnerability (unspecified in the content) affecting Zoho ManageEngine ADSelfService that is listed as exploited by the threat actor UNC3886/Volt Typhoon.

Read more
cyberthroneNews
Jan 21, 2026
EU Launches GCVE: A Decentralized Revolution in Vulnerability Tracking - TheCyberThrone

A critical vulnerability in Zoho ManageEngine ADSelfService Plus referenced as being exploited in a cyberespionage campaign.

Read more
manageengineNews
Jan 1, 2026
CVE-2021-40539: Authentication Bypass | ADSelfService Plus

A critical authentication bypass vulnerability in ManageEngine ADSelfService Plus REST API URL handling that can lead to remote code execution via crafted URLs that bypass security filtering.

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence7

Every observed campaign linking this CVE to a named adversary.

Associated malware5

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2021-40539
NVD
nvd.nist.gov/vuln/detail/CVE-2021-40539
MITRE CWE · CWE-288
cwe.mitre.org
Patch
manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html
Third Party Advisory
packetstormsecurity.com/files/165085/ManageEngine-ADSelfService-Plus-Authentication-Bypass-Code-Execution.html
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-40539
Product
manageengine.com