Zohocorp ManageEngine RCE in ADSelfService Plus, DataSecurity Plus, RecoveryManager Plus

/HIGH /CVSS 8.4/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityremote-code-executioncwe-77
Zohocorp ManageEngine RCE in ADSelfService Plus, DataSecurity Plus, RecoveryManager Plus

The National Vulnerability Database has disclosed CVE-2026-2740, an authenticated remote code execution vulnerability impacting Zohocorp’s ManageEngine ADSelfService Plus (versions before 6525), DataSecurity Plus (before 6264), and RecoveryManager Plus (before 6313). This high-severity flaw, with a CVSSv3.1 score of 8.4, stems from a bug in a third-party dependency used by these products, specifically affecting agent machines.

Attackers exploiting this vulnerability could gain significant control over targeted systems, leveraging authenticated access to execute arbitrary code. The critical aspect here is the ‘authenticated’ prerequisite; it means an attacker already has a foothold or valid credentials, making this a privilege escalation or lateral movement vector rather than an initial access method. However, the impact — full remote code execution — is severe, allowing for data exfiltration, further system compromise, or disruption.

Defenders must prioritize patching these Zohocorp products immediately. The existence of a third-party dependency bug highlights the pervasive supply chain risk in modern software. CISOs need to ensure their patching cadence accounts for not just direct product vulnerabilities but also those inherited through dependencies, especially for critical infrastructure components like identity management and data security solutions.

What This Means For You

  • If your organization uses Zohocorp ManageEngine ADSelfService Plus, DataSecurity Plus, or RecoveryManager Plus, you are directly exposed. Patch to the specified versions (ADSelfService Plus 6525+, DataSecurity Plus 6264+, RecoveryManager Plus 6313+) immediately. Audit logs for suspicious activity on agent machines connected to these services, especially for unusual process execution or network connections.

Indicators of Compromise

IDTypeIndicator
CVE-2026-2740 RCE Zohocorp ManageEngine ADSelfService Plus < 6525
CVE-2026-2740 RCE Zohocorp ManageEngine DataSecurity Plus < 6264
CVE-2026-2740 RCE Zohocorp ManageEngine RecoveryManager Plus < 6313
CVE-2026-2740 RCE Authenticated Remote code execution in agent machines

Written by SCW Vulnerability Desk

🔎
Check ManageEngine exposure Use /org zohocorp.com to see related threats and advisories for Zohocorp products.
Open Intel Bot →
Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 21, 2026 at 17:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-45208: Apex One/SEP Agent Vulnerability Allows Local Privilege Escalation

CVE-2026-45208 — A time-of-check time-of-use vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. Please note: an...

vulnerabilityCVEhigh-severitycwe-367
/SCW Vulnerability Desk /HIGH /7.8 /⚑ 3 IOCs

CVE-2026-45207: Apex One/SEP Agent Privilege Escalation

CVE-2026-45207 — An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. This is similar...

vulnerabilityCVEhigh-severitycwe-346
/SCW Vulnerability Desk /HIGH /7.8 /⚑ 3 IOCs

CVE-2026-45206: Privilege Escalation in Apex One/SEP Agent

CVE-2026-45206 — An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. This is similar...

vulnerabilityCVEhigh-severitycwe-346
/SCW Vulnerability Desk /HIGH /7.8 /⚑ 4 IOCs