Background
ManageEngine ADSelfService Plus is a self-service password management and single sign-on solution used by enterprises to let employees reset their own passwords and manage multi-factor authentication without IT desk involvement. It’s deeply integrated with Active Directory — it has to be, by design — which means it typically sits with privileged access to your domain controllers. It’s widely deployed in government, defence, and critical infrastructure sectors.
That combination of internet-facing deployment (users access it from outside the network) and privileged AD access makes it a prime target. CVE-2021-40539 was disclosed in September 2021 and was immediately weaponised by sophisticated threat actors targeting defence and technology organisations.
Technical Mechanism
The vulnerability is in ADSelfService Plus’s REST API authentication mechanism. Certain API endpoints can be accessed without authentication by appending specific path suffixes that bypass the authentication filter.
Specifically, the application uses a URL-based filter to determine whether a request requires authentication. By appending /./ or similar path traversal sequences to certain API endpoint URLs, an attacker can reach authenticated-only endpoints while bypassing the authentication check.
The exploit flow:
- Identify a target running ADSelfService Plus (typically on port 9251 or 8888)
- Send a crafted POST request to
/RestAPI/LogonCustomizationor similar endpoints with authentication bypass path - Upload a malicious
.jspfile using the file upload functionality that becomes accessible through the bypass - Execute the webshell for arbitrary command execution as the application’s service account
The application typically runs as SYSTEM or a highly privileged domain service account, meaning code execution immediately yields elevated privileges on the host and potentially across the domain.
Real-World Exploitation Evidence
This vulnerability was exploited heavily by APT groups linked to the Chinese government:
- APT27 (Emissary Panda/Lucky Mouse) — the FBI and CISA joint advisory specifically named this group as exploiting CVE-2021-40539 against defence contractors and critical infrastructure. They used the access to deploy Godzilla webshells and custom implants
- TiltedTemple campaign — a broadly tracked campaign where multiple Chinese-nexus actors used this vulnerability to target US defence industrial base companies, higher education, and critical infrastructure
- Unknown APT actors — targeted US state government networks using this vulnerability as initial access
The FBI/CISA advisory from November 2021 noted that adversaries were leveraging the access to pivot to AD and harvest credentials, with dwell times of weeks before detection.
Impact Assessment
- Domain compromise — the service account ADSelfService Plus runs under typically has extensive AD permissions; attackers routinely pivoted to full domain admin
- Credential theft — access to the application database allows extraction of user credentials and AD hashes
- Lateral movement — from the ADSelfService Plus server, attackers moved laterally across the network using harvested credentials
- Persistent backdoors — Godzilla webshells and custom implants maintained long-term access
- Supply chain exposure — in defence contractor environments, this led to theft of controlled technical data and intellectual property
Affected Versions
| Product | Affected Versions | Fixed Version |
|---|---|---|
| ManageEngine ADSelfService Plus | Build 6113 and earlier | Build 6114 |
Remediation Steps
- Update to ADSelfService Plus build 6114 or later immediately
- If you cannot patch immediately, restrict access to the ADSelfService Plus portal to known IP ranges
- Search for unauthorised files in the application directory:
find /opt/manageengine/adselfservice/ -name "*.jsp" -newer /opt/manageengine/adselfservice/bin/AdSelfService.jar - Review application logs for API calls to
/RestAPI/endpoints from unexpected IPs - Audit the service account ADSelfService Plus runs under — review its AD permissions and limit to the minimum required
- Enable detailed application logging if not already on
- Consider placing the application behind a WAF with rules blocking path traversal sequences
- Review AD logs (Event ID 4768, 4769) for abnormal Kerberos ticket requests from the server’s IP
Detection Guidance
Application logs — look in [install_dir]/logs/ for API calls containing /./ or path traversal sequences in the URL, particularly to /RestAPI/ endpoints.
File system monitoring — alert on new .jsp files appearing in the application’s web directories.
Windows Event Logs / AD audit logs — look for unusual account activity originating from the ADSelfService Plus server host.
Network monitoring — the server should only initiate connections to your domain controllers; any outbound connections to external IPs from this host warrant investigation.
Suricata signature:
alert http any any -> any $HTTP_PORTS (msg:"ManageEngine ADSelfService CVE-2021-40539 Auth Bypass"; flow:established,to_server; http.uri; content:"/RestAPI/"; content:"./"; distance:0; within:20; classtype:web-application-attack; sid:2034003; rev:1;)IOCs:
- Godzilla webshell hashes (check current threat intel feeds)
- Unusual
.jspfiles in application directories - Outbound connections from ADSelfService Plus server to non-AD hosts
Timeline
| Date | Event |
|---|---|
| September 2021 | Zoho releases build 6114 patching CVE-2021-40539 |
| September 2021 | Active exploitation begins by APT actors |
| 16 September 2021 | CISA advisory issued urging immediate patching |
| November 2021 | FBI/CISA joint advisory attributes exploitation to APT27 and TiltedTemple campaign |
| November 2021 | Added to CISA Known Exploited Vulnerabilities catalogue |
| 2021–2022 | Continued exploitation targeting defence and critical infrastructure |