cbcvebase.
CVE-2021-20131
published 2021-10-13

CVE-2021-20131: ManageEngine ADManager Plus Build 7111 contains a post-authentication remote code execution vulnerability due to improperly validated file uploads in the…

PriorityP265high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
16.04%
96.5th percentile
ManageEngine ADManager Plus Build 7111 contains a post-authentication remote code execution vulnerability due to improperly validated file uploads in the Personalization interface.

Affected

2 ranges
VendorProductVersion rangeFixed in
zohocorpmanageengine_admanager_plus< 7.17.1
zohocorpmanageengine_admanager_plus

Detection & IOCsextracted from sources · hover to see the quote

url/RestAPI/WC/Personalize
url/RestAPI/WC/PasswordExpiryNotification
path\webapps\adsm\ompemberapp\PasswordExpiryNotification\
url/ompemberapp/PasswordExpiryNotification/
filename1630429499081_webshell.jsp
  • Monitor for POST requests to /RestAPI/WC/Personalize that upload executable files (e.g., .exe), particularly targeting the \bin\ directory of the ADMP installation, which could indicate an attempt to replace admanager.exe with attacker-controlled code.
  • Monitor for POST requests to /RestAPI/WC/PasswordExpiryNotification that upload JSP files, followed by GET requests to /ompemberapp/PasswordExpiryNotification/<timestamp>_<filename>.jsp, indicating webshell deployment and execution.
  • Detect uploaded JSP webshell files in \webapps\adsm\ompemberapp\PasswordExpiryNotification\ with filenames matching the pattern <epoch_milliseconds>_<original_filename>.jsp.
  • Alert on unexpected modification or replacement of \bin\admanager.exe on ADMP hosts, especially if the file is written by the ADMP Java/web process rather than a legitimate installer.
  • Monitor for a debugger attaching to the ADMP Java process and breakpoints set on ADsOpenObject in ACTIVEDS.dll, which may indicate credential harvesting of domain accounts configured in ADMP.
  • ·Both CVE-2021-20130 and CVE-2021-20131 are post-authentication vulnerabilities; exploitation requires valid (low-privilege) credentials to the ADMP web interface. Unauthenticated access alone is insufficient.
  • ·The domain account configured in ADMP for Active Directory operations is a high-value credential target (often domain administrator), and its compromise is a likely post-exploitation objective.
  • ·The RCE via /RestAPI/WC/Personalize (CVE-2021-20131) is triggered on ADMP service restart, not immediately upon upload — detection windows exist between file write and execution.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.