What is the CVSS score of CVE-2026-2740?

CVE-2026-2740 has a CVSS 3.1 base score of 8.4 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L. EPSS exploitation probability: 1.2%.

Which versions of ManageEngine ADSelfService Plus are affected by CVE-2026-2740?

Three Zoho ManageEngine products (ADSelfService Plus, DataSecurity Plus, RecoveryManager Plus) contain a high-severity vulnerability enabling authenticated attackers with low privileges to execute…. A patch is available.

ManageEngine ADSelfService Plus CVE-2026-2740

EUVD-2026-31283 HIGH

Command Injection (CWE-77)

2026-05-21 Zohocorp

GHSA-hrrx-gqw9-2hrq

RCE Command Injection Zoho

8.4

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

Low

Lifecycle Timeline

Analysis Generated

May 21, 2026 - 14:18 vuln.today

Patch available

May 21, 2026 - 14:02 EUVD

DescriptionNVD

Zohocorp ManageEngine ADSelfService Plus version before 6525, DataSecurity Plus before 6264 and RecoveryManager Plus before 6313 are vulnerable to Authenticated Remote code execution in the agent machines due to the bug in the 3rd party dependency.

AnalysisAI

Authenticated remote code execution affects Zoho ManageEngine ADSelfService Plus (before build 6525), DataSecurity Plus (before 6264), and RecoveryManager Plus (before 6313) on agent machines, stemming from a flaw in a bundled third-party dependency. An authenticated attacker with low privileges can inject commands (CWE-77) to execute arbitrary code on managed agent endpoints, with no public exploit identified at time of analysis.

RemediationAI

Within 24 hours: Identify all Zoho ManageEngine deployments and current versions; restrict administrative access to trusted networks only. Within 7 days: Deploy patches to ADSelfService Plus (build 6525 or later), DataSecurity Plus (6264 or later), and RecoveryManager Plus (6313 or later) after testing in non-production. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-2740 vulnerability details – vuln.today

Back

ManageEngine ADSelfService Plus CVE-2026-2740

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code