CVE-2026-2740
Zohocorp · ManageEngine ADSelfService Plus
ManageEngine ADSelfService Plus, DataSecurity Plus, and RecoveryManager Plus contain a third-party dependency vulnerability allowing authenticated remote code execution on agent machines.
Executive summary
A vulnerability in a third-party dependency allows authenticated remote code execution on agent machines managed by Zohocorp ManageEngine products.
Vulnerability
The vulnerability stems from a flaw in a third-party component. It requires an authenticated attacker to trigger the remote code execution (RCE) on agent machines.
Business impact
With a CVSS score of 8.4, this vulnerability represents a critical risk to organizational security. Successful exploitation grants an attacker the ability to execute arbitrary code on agent machines, likely leading to a full compromise of the affected endpoints and potential lateral movement across the network.
Remediation
Immediate Action: Update ADSelfService Plus (to at least 6525), DataSecurity Plus (to at least 6264), and RecoveryManager Plus (to at least 6313) immediately.
Proactive Monitoring: Audit agent machine logs for unauthorized process creation and unusual network activity originating from the agent software.
Compensating Controls: Restrict network access to the agent management ports and ensure that the administrative accounts used for these services follow the principle of least privilege.
Exploitation status
Public Exploit Available: false
Analyst recommendation
This is a critical vulnerability that directly impacts the integrity of managed agent machines. IT administrators must prioritize updating these ManageEngine products to the specified versions to remediate the vulnerable third-party dependency.