CVE-2026-2740 Zohocorp CVE debrief

Who should care

Administrators and security teams responsible for ManageEngine ADSelfService Plus, DataSecurity Plus, and RecoveryManager Plus deployments, especially where authenticated users can reach the affected agent workflows or agent machines.

Technical summary

The source corpus describes an authenticated remote code execution flaw in the agent machines for affected ManageEngine products, attributed to a bug in a third-party dependency. NVD associates the issue with CWE-77 and records a CVSS 3.1 score of 8.4 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L). Based on the supplied data, the vulnerable versions are ADSelfService Plus prior to 6525, DataSecurity Plus prior to 6264, and RecoveryManager Plus prior to 6313.

Defensive priority

High. Authenticated RCE on agent machines can enable code execution on managed hosts, and the supplied CVSS score indicates substantial confidentiality and integrity impact.

Recommended defensive actions

• Upgrade ManageEngine ADSelfService Plus to version 6525 or later.
• Upgrade ManageEngine DataSecurity Plus to version 6264 or later.
• Upgrade ManageEngine RecoveryManager Plus to version 6313 or later.
• Review exposure of agent-machine functionality to authenticated users and restrict access to only required administrators and service accounts.
• Monitor affected hosts for unexpected command execution, new processes, unusual agent behavior, and unauthorized configuration changes.
• Follow the linked ManageEngine advisory for product-specific remediation guidance and any interim mitigation steps.

Evidence notes

All claims in this debrief are limited to the supplied CVE description, the NVD metadata snapshot, and the referenced ManageEngine advisory link. The source package provides no exploit details, no KEV entry, and no additional vendor guidance beyond the advisory reference. Vendor attribution in the supplied enrichment is low-confidence and marked for review.

Official resources