CVE-2026-2740 PUBLISHED

Remote Code Execution

Assigner: Zohocorp
Reserved: 19.02.2026 Published: 21.05.2026 Updated: 21.05.2026

Zohocorp ManageEngine ADSelfService Plus version before 6525, DataSecurity Plus before 6264 and RecoveryManager Plus before 6313 are vulnerable to Authenticated Remote code execution in the agent machines due to the bug in the 3rd party dependency.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L
CVSS Score: 8.4

Attack Vector	Network	Scope	Changed
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	Zohocorp
Product	ManageEngine ADSelfService Plus
Versions	Default: unaffected affected from 0 to 6525 (excl.)

Vendor	Zohocorp
Product	ManageEngine DataSecurity Plus
Versions	Default: unaffected affected from 0 to 6264 (excl.)

Vendor	Zohocorp
Product	ManageEngine RecoveryManager Plus
Versions	Default: unaffected affected from 0 to 6313 (excl.)

References

https://www.manageengine.com/products/self-service-password/advisory/CVE-2026-2740.html

Problem Types

CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE