Auth RCE in Zohocorp ManageEngine ADSelfService Plus via Dependency
CVE-2026-2740 Published on May 21, 2026

Remote Code Execution
Zohocorp ManageEngine ADSelfService Plus version before 6525, DataSecurity Plus before 6264 and RecoveryManager Plus before 6313 are vulnerable to Authenticated Remote code execution in the agent machines due to the bug in the 3rd party dependency.

NVD

Vulnerability Analysis

CVE-2026-2740 is exploitable with network access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and a small impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
LOW
User Interaction:
NONE
Scope:
CHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
LOW

Weakness Type

What is a Command Injection Vulnerability?

The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

CVE-2026-2740 has been classified to as a Command Injection vulnerability or weakness.


Products Associated with CVE-2026-2740

Want to know whenever a new CVE is published for Zoho Corp products? stack.watch will email you.

Zoho Corp Manageengine Adselfservice Plus
 
Zoho Corp Manageengine Datasecurity Plus
 
Zoho Corp Manageengine Recoverymanager Plus
 

Affected Versions

Zohocorp ManageEngine ADSelfService Plus: Zohocorp ManageEngine DataSecurity Plus: Zohocorp ManageEngine RecoveryManager Plus: