Wiz
Vulnerability DatabaseCVE-2021-38298

CVE-2021-38298
Zoho ManageEngine ADManager Plus vulnerability analysis and mitigation

Overview

Zoho ManageEngine ADManager Plus before version 7110 was found to be vulnerable to blind XML external entity (XXE) injection. The vulnerability was assigned identifier CVE-2021-38298 and was disclosed in October 2021. This security flaw affects the ADManager Plus software, which is a Windows Active Directory management and reporting solution (NVD).

Technical details

The vulnerability is classified as a blind XXE (XML External Entity) injection flaw. It received a CVSS v3.1 base score of 9.8 (CRITICAL), indicating its severe nature. The high severity score suggests that successful exploitation could have significant impact on system security (NVD).

Impact

A successful exploitation of this XXE vulnerability could potentially allow attackers to access unauthorized system resources, leading to sensitive data exposure, server-side request forgery, or denial of service conditions. The critical CVSS score indicates that the vulnerability could have severe consequences for affected systems (NVD).

Mitigation and workarounds

The primary mitigation for this vulnerability is to upgrade to ADManager Plus version 7110 or later. Zoho has addressed the XXE vulnerability in this release (ManageEngine Release Notes).

Additional resources

SourceThis report was generated using AI

Related Zoho ManageEngine ADManager Plus vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-10020HIGH8.8
  • Zoho ManageEngine ADManager PlusZoho ManageEngine ADManager Plus
  • cpe:2.3:a:zohocorp:manageengine_admanager_plus
NoNoOct 21, 2025
CVE-2024-24409HIGH8.8
  • Zoho ManageEngine ADManager PlusZoho ManageEngine ADManager Plus
  • cpe:2.3:a:zohocorp:manageengine_admanager_plus
NoNoNov 08, 2024
CVE-2024-48878HIGH8.8
  • Zoho ManageEngine ADManager PlusZoho ManageEngine ADManager Plus
  • cpe:2.3:a:zohocorp:manageengine_admanager_plus
NoNoNov 04, 2024
CVE-2023-6105MEDIUM5.5
  • Zoho ManageEngine ServiceDesk PlusZoho ManageEngine ServiceDesk Plus
  • cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus
NoYesNov 15, 2023
CVE-2023-41904MEDIUM5.4
  • Zoho ManageEngine ADManager PlusZoho ManageEngine ADManager Plus
  • cpe:2.3:a:zohocorp:manageengine_admanager_plus
NoNoSep 27, 2023

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo