CVE-2026-2740

EUVD-2026-31283
Zohocorp ManageEngine ADSelfService Plus version before 6525, DataSecurity Plus before 6264 and RecoveryManager Plus before 6313 are vulnerable to Authenticated Remote code execution in the agent machines due to the bug in the 3rd party dependency.
Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
ZohocorpCNA
8.4 HIGH
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
zohocorpmanageengine_adselfservice_plus
𝑥
< 6525
CNA
zohocorpmanageengine_adselfservice_plus
𝑥
< 6264
CNA
zohocorpmanageengine_adselfservice_plus
𝑥
< 6313
CNA
Common Weakness Enumeration
References
https://www.manageengine.com/products/self-service-password/advisory/CVE-2026-2740.html