CVE-2021-40539: ManageEngine ADSelfService Plus Authentication Bypass and RCE
A REST API authentication bypass in ManageEngine ADSelfService Plus that APT41 and other threat actors exploited to compromise defense contractors, critical infrastructure, and academic institutions — dropping Godzilla webshells and deploying PetitPotam for full domain compromise
CVE-2021-40539 is a critical authentication bypass and remote code execution vulnerability in ManageEngine ADSelfService Plus, patched in September 2021. The flaw allowed unauthenticated attackers to send requests to REST API endpoints that should require authentication, then upload a malicious JSP file to achieve code execution on the server. CISA, FBI, and CGCYBER issued a joint advisory confirming exploitation by APT41 and at least two other threat actor clusters against U.S. defense contractors, academic institutions, and critical infrastructure operators. The product's deep Active Directory integration made every compromised instance a potential full-domain-compromise launchpad.
Vulnerability Details: REST API Authentication Bypass
ManageEngine ADSelfService Plus exposes a REST API for administrative operations and integrations. The authentication bypass in CVE-2021-40539 allows an attacker to access specific protected API endpoints — particularly those related to custom certificate and application configuration — by manipulating the URL path in a way that bypasses the authentication filter.
With access to the unprotected API endpoint, an attacker can upload a file to the server filesystem. By uploading a JSP webshell to a web-accessible directory and then requesting it via the web interface, the attacker achieves code execution with the privileges of the ManageEngine service account — typically a highly privileged AD service account.
APT41 and the Godzilla Webshell Campaign
Unit 42 and CISA documented at least three distinct threat actor clusters exploiting CVE-2021-40539 within weeks of disclosure:
**APT41 (also tracked as Winnti, BARIUM, Double Dragon)**: The Chinese state-sponsored group deployed their signature Godzilla webshell — a Java-based webshell with AES encryption for C2 communications that evades many signature-based detection systems. Post-exploitation included deployment of the SIDEWALK backdoor (a modular implant with C2 over HTTPS) and NeoIcedoor.
**Second cluster**: Deployed the PetitPotam NTLM relay attack against the compromised server's local Active Directory Certificate Services, escalating from ADSelfService Plus compromise to full domain compromise by coercing the DC to authenticate and relaying to AD CS for a domain controller certificate.
**Third cluster**: Focused on lateral movement and data exfiltration using the initial webshell access to pivot to connected internal systems.
Identify Internet-Facing ADSelfService Plus Instance
ADSelfService Plus is commonly internet-facing as a self-service password reset portal. Attackers identify exposed instances via Shodan or direct scanning for the ManageEngine portal interface.
Authentication Bypass to REST API
Attacker sends a crafted request to a protected REST API endpoint with a URL path manipulation that bypasses the authentication filter. No credentials required.
JSP Webshell Upload
Using the unauthenticated API access, attacker uploads a JSP webshell (commonly the Godzilla webshell in observed campaigns) to a web-accessible directory on the server.
Code Execution as ManageEngine Service Account
Attacker accesses the uploaded webshell via HTTP, achieving code execution with the privileges of the ManageEngine process — typically a high-privilege AD service account.
Domain Compromise via PetitPotam or Credential Harvest
APT41 cluster used PetitPotam to coerce NTLM authentication from the DC and relay it to AD CS for full domain compromise. Others directly harvested AD credentials stored in ADSelfService Plus configuration.
Why ADSelfService Plus Access Leads to Domain Compromise
ManageEngine ADSelfService Plus is AD-integrated by design. The server's service account typically holds permissions to: - Read all user and computer attributes from Active Directory - Unlock accounts and reset passwords for all domain users - Query and enumerate AD groups and organizational units
Additionally, ADSelfService Plus stores AD administrator credentials in its configuration database for the purpose of performing password resets. Dumping this configuration file from a compromised server yields credentials with AD admin-level permissions.
Detection
Key indicators for CVE-2021-40539 exploitation:
| Artifact | Type | SHA-256 (Truncated) |
|---|---|---|
| HTTP requests to ManageEngine REST API endpoints with path traversal patterns in the URL, particularly targeting /RestAPI/ paths without valid session tokens | Web server access log | Authentication bypass requests have a characteristic URL structure; review IIS or Apache logs for REST API requests from external IPs without corresponding authenticated sessions |
| New JSP or WAR files in ManageEngine ADSelfService Plus web root directories | Filesystem — ManageEngine installation directory | Godzilla and other webshells appear as unexpected JSP files in /ManageEngine/ADSelfServicePlus/webapps/ or similar paths; compare against known-good file manifest |
| ManageEngine service account performing LDAP queries beyond normal operational patterns | Active Directory / LDAP audit log | Post-exploitation enumeration generates elevated LDAP query volume; baseline normal query patterns and alert on deviations in volume or query type |
| Godzilla webshell C2 communications — AES-encrypted POST requests with characteristic base64-encoded payloads | Network — IDS/IPS | Godzilla's AES-encrypted C2 has known network signatures; Emerging Threats and YARA rules are publicly available for detection |
Any instance of msimg32.dll found outside C:\Windows\System32 is an active IOC. Isolate the host immediately. Full hashes and IOC lists are available via the Cisco Talos GitHub repository.
Remediation
Priority actions:
Update to ADSelfService Plus build 6114 or later
Zoho ManageEngine released build 6114 patching CVE-2021-40539. Verify your current build number in the ADSelfService Plus admin console under Admin → Product Information. Any version before 6114 is vulnerable.
Restrict internet access to the ADSelfService Plus portal
ADSelfService Plus should ideally be accessible only via VPN or from trusted IP ranges. If internet-facing deployment is required, place the portal behind a WAF with strict rules blocking REST API access from external sources and requiring additional authentication (e.g., MFA) before portal access.
Audit the ManageEngine web directories for unexpected files
Search for JSP, WAR, or other executable files in the ManageEngine ADSelfService Plus web root that are not part of the standard installation. Any unexpected file indicates either exploitation or requires investigation.
Rotate the ManageEngine service account credentials
If exploitation is suspected, immediately rotate the credentials for the service account used by ManageEngine ADSelfService Plus to connect to Active Directory. This account typically has broad AD read/write permissions and may have its credentials stored in the product's configuration database.
Check for and apply all subsequent ManageEngine security advisories
ManageEngine has had multiple critical vulnerabilities across its product line. After addressing CVE-2021-40539, review all security advisories for your specific ManageEngine products and ensure you are current on patches for CVE-2022-47966 and any subsequent critical findings.
The bottom line
CVE-2021-40539 is a case study in why self-service password reset portals are among the highest-value attack targets in enterprise environments — they are internet-facing by design, AD-integrated by requirement, and carry the implicit trust of an identity management system. Any ManageEngine ADSelfService Plus instance that was internet-facing before the September 2021 patch should be treated as potentially compromised and subjected to full forensic review, including examination of web directories, AD audit logs, and service account activity.
Frequently asked questions
What is CVE-2021-40539?
CVE-2021-40539 is a critical authentication bypass vulnerability in ManageEngine ADSelfService Plus that allows unauthenticated attackers to access protected REST API endpoints and upload a malicious JSP file, achieving remote code execution on the server with the privileges of the ManageEngine application process.
Why is ADSelfService Plus a high-value target?
ManageEngine ADSelfService Plus is an enterprise self-service password reset and single sign-on portal directly integrated with Active Directory and LDAP. Compromising it gives attackers access to stored AD credentials, the ability to reset any user's password, and a foothold in a system with significant AD privileges — making it an ideal pivot point for full domain compromise.
Is CVE-2021-40539 the same as CVE-2022-47966 (the ManageEngine SAML RCE)?
No. CVE-2021-40539 affects only ManageEngine ADSelfService Plus and exploits an authentication bypass in the REST API. CVE-2022-47966 is a separate vulnerability affecting 24 different ManageEngine products via an Apache Santuario XML signature validation flaw. Both are critical, both have been exploited by APTs, and both require independent patching.
Sources & references
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.