CVE-2021-37928: 
Zoho ManageEngine ADManager Plus vulnerability analysis and mitigation

Zoho ManageEngine ADManager Plus version 7110 and prior contains an unrestricted file upload vulnerability (CVE-2021-37928) that leads to remote code execution. The vulnerability was discovered and disclosed on October 7, 2021, affecting all versions of ADManager Plus up to and including version 7110 (NVD).

The vulnerability exists in the /RestAPI/WC/NotificationTemplate/attachFiles endpoint with parameter UPLOADED_FILE. When exploited, the vulnerability can be executed with SYSTEM user privileges if the server is running as a service. The CVSS v3.1 base score is 9.8 CRITICAL (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating the severity of this vulnerability (AttackerKB).

The vulnerability allows attackers to execute arbitrary code with SYSTEM privileges on affected systems, potentially leading to complete system compromise. This level of access could allow attackers to take full control of the affected system, access sensitive information, and potentially move laterally within the network (NVD).

The vulnerability has been patched by implementing file extension validation against an allowlist. Organizations should upgrade to a version newer than 7110. The patch includes validation of image file extensions and implements proper security checks for file uploads (Release Notes).