CVE-2021-20131
published 2021-10-13CVE-2021-20131: ManageEngine ADManager Plus Build 7111 contains a post-authentication remote code execution vulnerability due to improperly validated file uploads in the…
PriorityP265high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
16.04%
96.5th percentile
ManageEngine ADManager Plus Build 7111 contains a post-authentication remote code execution vulnerability due to improperly validated file uploads in the Personalization interface.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | manageengine_admanager_plus | < 7.1 | 7.1 |
| zohocorp | manageengine_admanager_plus | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for POST requests to /RestAPI/WC/Personalize that upload executable files (e.g., .exe), particularly targeting the \bin\ directory of the ADMP installation, which could indicate an attempt to replace admanager.exe with attacker-controlled code. ↗
- →Monitor for POST requests to /RestAPI/WC/PasswordExpiryNotification that upload JSP files, followed by GET requests to /ompemberapp/PasswordExpiryNotification/<timestamp>_<filename>.jsp, indicating webshell deployment and execution. ↗
- →Detect uploaded JSP webshell files in \webapps\adsm\ompemberapp\PasswordExpiryNotification\ with filenames matching the pattern <epoch_milliseconds>_<original_filename>.jsp. ↗
- →Alert on unexpected modification or replacement of \bin\admanager.exe on ADMP hosts, especially if the file is written by the ADMP Java/web process rather than a legitimate installer. ↗
- →Monitor for a debugger attaching to the ADMP Java process and breakpoints set on ADsOpenObject in ACTIVEDS.dll, which may indicate credential harvesting of domain accounts configured in ADMP. ↗
- ·Both CVE-2021-20130 and CVE-2021-20131 are post-authentication vulnerabilities; exploitation requires valid (low-privilege) credentials to the ADMP web interface. Unauthenticated access alone is insufficient. ↗
- ·The domain account configured in ADMP for Active Directory operations is a high-value credential target (often domain administrator), and its compromise is a likely post-exploitation objective. ↗
- ·The RCE via /RestAPI/WC/Personalize (CVE-2021-20131) is triggered on ADMP service restart, not immediately upon upload — detection windows exist between file write and execution. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
2021-10-13
Published