CVE-2026-2740

Zohocorp · ManageEngine ADSelfService Plus

ManageEngine ADSelfService Plus, DataSecurity Plus, and RecoveryManager Plus contain a third-party dependency vulnerability allowing authenticated remote code execution on agent machines.

Executive summary

A vulnerability in a third-party dependency allows authenticated remote code execution on agent machines managed by Zohocorp ManageEngine products.

Vulnerability

The vulnerability stems from a flaw in a third-party component. It requires an authenticated attacker to trigger the remote code execution (RCE) on agent machines.

Business impact

With a CVSS score of 8.4, this vulnerability represents a critical risk to organizational security. Successful exploitation grants an attacker the ability to execute arbitrary code on agent machines, likely leading to a full compromise of the affected endpoints and potential lateral movement across the network.

Remediation

Immediate Action: Update ADSelfService Plus (to at least 6525), DataSecurity Plus (to at least 6264), and RecoveryManager Plus (to at least 6313) immediately.

Proactive Monitoring: Audit agent machine logs for unauthorized process creation and unusual network activity originating from the agent software.

Compensating Controls: Restrict network access to the agent management ports and ensure that the administrative accounts used for these services follow the principle of least privilege.

Exploitation status

Public Exploit Available: false

Analyst recommendation

This is a critical vulnerability that directly impacts the integrity of managed agent machines. IT administrators must prioritize updating these ManageEngine products to the specified versions to remediate the vulnerable third-party dependency.