Skip to main content

ManageEngine ADSelfService Plus EUVDEUVD-2026-31283

| CVE-2026-2740 HIGH
Command Injection (CWE-77)
2026-05-21 Zohocorp GHSA-hrrx-gqw9-2hrq
8.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.4 HIGH
AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

2
Analysis Generated
May 21, 2026 - 14:18 vuln.today
Patch available
May 21, 2026 - 14:02 EUVD

DescriptionCVE.org

Zohocorp ManageEngine ADSelfService Plus version before 6525, DataSecurity Plus before 6264 and RecoveryManager Plus before 6313 are vulnerable to Authenticated Remote code execution in the agent machines due to the bug in the 3rd party dependency.

AnalysisAI

Authenticated remote code execution affects Zoho ManageEngine ADSelfService Plus (before build 6525), DataSecurity Plus (before 6264), and RecoveryManager Plus (before 6313) on agent machines, stemming from a flaw in a bundled third-party dependency. An authenticated attacker with low privileges can inject commands (CWE-77) to execute arbitrary code on managed agent endpoints, with no public exploit identified at time of analysis.

Technical ContextAI

ManageEngine ADSelfService Plus is an identity and self-service password management platform deployed in enterprise Active Directory environments; DataSecurity Plus provides file auditing and data discovery, while RecoveryManager Plus performs AD/Microsoft 365 backup and recovery. All three products deploy lightweight agents to managed endpoints to gather telemetry or enforce policy. The root cause is CWE-77 (Improper Neutralization of Special Elements used in a Command), confirmed by the 'Command Injection' tag, located in a third-party dependency shared across these Zoho products. The CPE strings (cpe:2.3:a:zohocorp:manageengine_adselfservice_plus, manageengine_datasecurity_plus, manageengine_recoverymanager_plus) confirm the bug spans all three product families through the same shared component, and the impact is on the agent machines rather than the central server.

RemediationAI

Vendor-released patches are available: upgrade ManageEngine ADSelfService Plus to build 6525 or later, DataSecurity Plus to build 6264 or later, and RecoveryManager Plus to build 6313 or later, following the vendor advisory at https://www.manageengine.com/products/self-service-password/advisory/CVE-2026-2740.html. Because the flaw lives in the deployed agent, ensure that not only the server console is patched but that all rolled-out agent binaries are updated on every managed endpoint, since a partially patched fleet remains exposed. As a compensating control until patching completes, restrict network reachability to agent listening services using host firewall rules so that only the management server can talk to agents (this will not break normal product operation), and tighten the privilege of accounts that can authenticate to the management console, since the bug requires PR:L. Avoid disabling the agent entirely as a workaround unless absolutely necessary, since doing so removes password self-service, auditing, or backup coverage for those endpoints.

More in Zoho

View all
CVE-2016-6600 CRITICAL POC
9.8 Jan 23

Directory traversal vulnerability in the file upload functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remot

CVE-2015-8249 CRITICAL POC
9.8 Sep 28

The FileUploadServlet class in ManageEngine Desktop Central 9 before build 91093 allows remote attackers to upload and e

CVE-2014-5005 HIGH POC
7.5 Oct 21

Directory traversal vulnerability in ZOHO ManageEngine Desktop Central (DC) before 9 build 90055 allows remote attackers

CVE-2015-7765 CRITICAL POC
9.0 Oct 09

ZOHO ManageEngine OpManager 11.5 build 11600 and earlier uses a hardcoded password of "plugin" for the IntegrationUser a

CVE-2015-7766 CRITICAL POC
9.0 Oct 09

PGSQL:SubmitQuery.do in ZOHO ManageEngine OpManager 11.6, 11.5, and earlier allows remote administrators to bypass SQL q

CVE-2014-6037 HIGH POC
7.5 Oct 26

Directory traversal vulnerability in the agentUpload servlet in ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8

CVE-2015-7387 HIGH POC
7.5 Sep 28

ZOHO ManageEngine EventLog Analyzer 10.6 build 10060 and earlier allows remote attackers to bypass intended restrictions

CVE-2016-6601 HIGH POC
7.5 Jan 23

Directory traversal vulnerability in the file download functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows rem

CVE-2014-6034 MEDIUM POC
5.0 Dec 04

Directory traversal vulnerability in the com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector servlet in Z

CVE-2014-3996 HIGH POC
7.5 Dec 05

SQL injection vulnerability in the LinkViewFetchServlet servlet in ManageEngine Desktop Central (DC) and Desktop Central

CVE-2017-11512 HIGH POC
7.5 Nov 08

The ManageEngine ServiceDesk 9.3.9328 is vulnerable to arbitrary file downloads due to improper restrictions of the path

CVE-2014-7866 HIGH POC
7.5 Dec 10

Multiple directory traversal vulnerabilities in ZOHO ManageEngine OpManager 8 (build 88xx) through 11.4, IT360 10.3 and

Share

EUVD-2026-31283 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy