Introduction
A command injection flaw in three widely deployed ManageEngine products allows any authenticated domain user to execute arbitrary commands on endpoint machines running the products' agents. CVE-2026-2740 affects ADSelfService Plus, DataSecurity Plus, and RecoveryManager Plus, and carries a CVSS score of 8.4, placing it firmly in the high severity category.
ManageEngine, a division of Zohocorp, builds enterprise IT management software used by organizations worldwide for identity management, data protection, and Active Directory operations. These products are commonly deployed across large enterprise environments, meaning the agent footprint on domain joined endpoints can be substantial. The vulnerability's impact is amplified by the fact that the affected agents sit on workstations and servers throughout the network, turning each one into a potential execution target.
Technical Information
CVE-2026-2740 is classified under CWE-77: Improper Neutralization of Special Elements used in a Command. The root cause is a combination of two issues: insufficient access controls on the service responsible for installing and managing agents on client machines, and a bug in a third party dependency consumed by the affected products.
Attack Flow
The exploitation path requires the attacker to be an authenticated domain user. This is a relatively low bar in most enterprise environments, especially in post compromise scenarios where domain credentials have already been obtained through phishing, credential stuffing, or lateral movement.
Once authenticated, the attacker can interact with the service communication channel that exists between the ManageEngine server and the client endpoints where agents are installed. This channel is used operationally for agent deployment and management. Due to the improper access controls on this service, combined with the third party dependency bug, the attacker can inject commands through this channel.
The injected commands execute directly on the client machine hosting the agent. The specific agents affected are:
| Product | Vulnerable Agent Component |
|---|---|
| ADSelfService Plus | ADSelfService Plus login agent |
| RecoveryManager Plus | RecoveryManager Plus backup agent |
| DataSecurity Plus | DataSecurity Plus agent |
Because these agents typically run with elevated privileges on domain joined systems, successful exploitation could allow an attacker to establish persistent footholds, move laterally, or exfiltrate data from endpoints across the environment. The fact that a single vulnerability spans three distinct products and their respective agents increases the attack surface considerably for organizations running more than one of these solutions.
It is worth noting that the vendor's advisory attributes part of the root cause to a "bug in the 3rd party dependency," though the specific dependency has not been publicly named. The fix involved hardening the access controls for the agent deployment service, which suggests the third party component was being leveraged in a way that bypassed intended authorization checks.
Affected Systems and Versions
The following products and version ranges are confirmed vulnerable:
| Product | Affected Versions | Fixed Version | Fix Release Date |
|---|---|---|---|
| ADSelfService Plus | Build 6524 and earlier | Build 6525 | 5 February 2026 |
| DataSecurity Plus | Build 6263 and earlier | Build 6264 | 13 February 2026 |
| RecoveryManager Plus | Build 6312 and earlier | Build 6313 | 24 March 2026 |
Any endpoint running the login agent, backup agent, or data security agent from these products at the listed vulnerable versions is at risk. Organizations should note that the agents, not just the server components, are the targets of exploitation in this case.
Vendor Security History
ManageEngine products have had prior security issues worth noting. CVE-2020-11532 involved default admin credentials in DataSecurity Plus that allowed communication with a DataEngine Xnode server, a fundamentally different class of vulnerability but one that underscores the importance of scrutinizing access controls in ManageEngine deployments.
For CVE-2026-2740, ManageEngine published its advisory and released patches before the National Vulnerability Database entry was finalized. This proactive disclosure is a positive signal, though the staggered release schedule (February through March 2026 across the three products) means organizations may have had uneven exposure windows depending on which products they run.



