CVE-2021-40539

CRITICAL KEV RANSOMWARE NUCLEI

ManageEngine ADSelfService Plus CVE-2021-40539

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2021-40539 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021, with confirmed use in ransomware campaigns. EIP tracks 6 public exploits from researchers including synacktiv, Bu0uCat, DarkSprings, including a Metasploit module exploits/windows/http/manageengine_adselfservice_plus_cve_2021_40539. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC exploits CVE-2021-40539, an authentication bypass and RCE vulnerability in ManageEngine ADSelfService Plus. It uploads a JSP webshell and a malicious Java class file, then triggers RCE via a crafted request to the RestAPI endpoint.

Description

Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution.

Exploits (6)

nomisec WORKING POC 47 stars
by synacktiv · remote
https://github.com/synacktiv/CVE-2021-40539

This PoC exploits CVE-2021-40539, an authentication bypass and RCE vulnerability in ManageEngine ADSelfService Plus. It uploads a JSP webshell and a malicious Java class file, then triggers RCE via a crafted request to the RestAPI endpoint.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ManageEngine ADSelfService Plus (versions up to 6113)
No auth needed
Prerequisites: Network access to the target · Target running vulnerable version of ADSelfService Plus
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by Bu0uCat · remote
https://github.com/Bu0uCat/ADSelfService-Plus-RCE-CVE-2021-40539

This repository contains a Python-based exploit for CVE-2021-40539, an RCE vulnerability in ZOHO ManageEngine ADSelfService Plus. The exploit uploads a JSP webshell and a Java class file to achieve remote code execution via a directory traversal and file upload vulnerability.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ZOHO ManageEngine ADSelfService Plus
No auth needed
Prerequisites: Network access to the target · Target running vulnerable version of ADSelfService Plus
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec STUB 2 stars
by DarkSprings · poc
https://github.com/DarkSprings/CVE-2021-40539

The repository contains only a README.md file with minimal information about CVE-2021-40539, lacking any exploit code or technical details. No functional PoC or exploit logic is present.

Classification
Stub 10%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by lpyydxs · remote
https://github.com/lpyydxs/CVE-2021-40539

This repository contains a Python-based exploit for CVE-2021-40539, an authentication bypass vulnerability in Zoho ManageEngine ADSelfService Plus. The exploit uploads a JSP webshell and a Java class file to achieve remote code execution (RCE) on vulnerable systems.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Zoho ManageEngine ADSelfService Plus (versions 6113 and earlier)
No auth needed
Prerequisites: Target must be running a vulnerable version of ADSelfService Plus · Network access to the target's REST API endpoints
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by lpyzds · remote
https://github.com/lpyzds/CVE-2021-40539

This repository contains a Python-based exploit for CVE-2021-40539, an authentication bypass vulnerability in Zoho ManageEngine ADSelfService Plus. The exploit includes functionality to upload a JSP webshell and a Java class payload, then trigger remote code execution via the REST API.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Zoho ManageEngine ADSelfService Plus (versions up to 6113)
No auth needed
Prerequisites: Network access to the target's REST API endpoint · Python 3 environment with requests library
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Antoine Cervoise, Wilfried Bécard, mr_me, wvu · rubypocjava
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/manageengine_adselfservice_plus_cve_2021_40539.rb

This Metasploit module exploits CVE-2021-40539, an authentication bypass in ManageEngine ADSelfService Plus, to upload and execute a malicious JAR file, achieving remote code execution as the SYSTEM user if the service runs with elevated privileges.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ManageEngine ADSelfService Plus (versions affected by CVE-2021-40539)
No auth needed
Prerequisites: Network access to the target's REST API (port 8888 by default) · Vulnerable version of ManageEngine ADSelfService Plus
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Zoho ManageEngine ADSelfService Plus v6113 - Unauthenticated Remote Command Execution
CRITICALby daffainfo,pdteam
Shodan: http.title:"manageengine" || http.title:"adselfservice plus"
FOFA: title="manageengine" || title="adselfservice plus"

References (4)

Core 4

Scores

CVSS v3 9.8
EPSS 0.9441
EPSS Percentile 100.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2021-11-03
VulnCheck KEV 2021-09-16
InTheWild.io 2021-09-09
ENISA EUVD EUVD-2021-27714
Ransomware Use Confirmed
CWE
CWE-706
Status published
Products (2)
zohocorp/manageengine_adselfservice_plus 6.1 (9 CPE variants)
zohocorp/manageengine_adselfservice_plus < 6.1
Published Sep 07, 2021
KEV Added Nov 03, 2021
Tracked Since Feb 18, 2026