CVE-2021-42847

CRITICAL

ManageEngine ADAudit Plus Authenticated File Write RCE

Title source: metasploit
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-42847. PoCs published by Moon, Erik Wynter, including Metasploit module exploits/windows/http/manageengine_adaudit_plus_authenticated_rce.

AI-analyzed exploit summary This Metasploit module exploits an authenticated file write vulnerability (CVE-2021-42847) in ManageEngine ADAudit Plus to achieve remote code execution by creating a custom alert profile with a malicious script. It supports versions prior to 7006 and handles both direct payload insertion (pre-7004) and arbitrary file write (7004-7005).

Description

Zoho ManageEngine ADAudit Plus before 7006 allows attackers to write to, and execute, arbitrary files.

Exploits (1)

metasploit WORKING POC EXCELLENT
by Moon, Erik Wynter · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/manageengine_adaudit_plus_authenticated_rce.rb

This Metasploit module exploits an authenticated file write vulnerability (CVE-2021-42847) in ManageEngine ADAudit Plus to achieve remote code execution by creating a custom alert profile with a malicious script. It supports versions prior to 7006 and handles both direct payload insertion (pre-7004) and arbitrary file write (7004-7005).

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ManageEngine ADAudit Plus < 7006
Auth required
Prerequisites: Valid credentials for an account with alert script creation privileges · Network access to the ADAudit Plus server
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 9.8
EPSS 0.7033
EPSS Percentile 99.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

Status published
Products (2)
zohocorp/manageengine_adaudit_plus 7.0 (6 CPE variants)
zohocorp/manageengine_adaudit_plus < 7.0
Published Nov 11, 2021
Tracked Since Feb 18, 2026