CVE REFERENCE | CRITICAL VULNERABILITY
Active ThreatUpdated 10 min read

CVE-2021-40539: ManageEngine ADSelfService Plus Authentication Bypass and RCE

A REST API authentication bypass in ManageEngine ADSelfService Plus that APT41 and other threat actors exploited to compromise defense contractors, critical infrastructure, and academic institutions, dropping Godzilla webshells and deploying PetitPotam for full domain compromise

9.8
CVSS Score
3+
Distinct APT clusters exploiting
CISA KEV
Added September 2021
Build 6114
First patched version

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

CVE-2021-40539 is a critical authentication bypass and remote code execution vulnerability in ManageEngine ADSelfService Plus, patched in September 2021. The flaw allowed unauthenticated attackers to send requests to REST API endpoints that should require authentication, then upload a malicious JSP file to achieve code execution on the server. CISA, FBI, and CGCYBER issued a joint advisory confirming exploitation by APT41 and at least two other threat actor clusters against U.S. defense contractors, academic institutions, and critical infrastructure operators. The product's deep Active Directory integration made every compromised instance a potential full-domain-compromise launchpad.

Vulnerability Details: REST API Authentication Bypass

ManageEngine ADSelfService Plus exposes a REST API for administrative operations and integrations. The authentication bypass in CVE-2021-40539 allows an attacker to access specific protected API endpoints, particularly those related to custom certificate and application configuration, by manipulating the URL path in a way that bypasses the authentication filter.

With access to the unprotected API endpoint, an attacker can upload a file to the server filesystem. By uploading a JSP webshell to a web-accessible directory and then requesting it via the web interface, the attacker achieves code execution with the privileges of the ManageEngine service account, typically a highly privileged AD service account.

APT41 and the Godzilla Webshell Campaign

Unit 42 and CISA documented at least three distinct threat actor clusters exploiting CVE-2021-40539 within weeks of disclosure:

APT41 (also tracked as Winnti, BARIUM, Double Dragon): The Chinese state-sponsored group deployed their signature Godzilla webshell, a Java-based webshell with AES encryption for C2 communications that evades many signature-based detection systems. Post-exploitation included deployment of the SIDEWALK backdoor (a modular implant with C2 over HTTPS) and NeoIcedoor.

Second cluster: Deployed the PetitPotam NTLM relay attack against the compromised server's local Active Directory Certificate Services, escalating from ADSelfService Plus compromise to full domain compromise by coercing the DC to authenticate and relaying to AD CS for a domain controller certificate.

Third cluster: Focused on lateral movement and data exfiltration using the initial webshell access to pivot to connected internal systems.

1

Identify Internet-Facing ADSelfService Plus Instance

ADSelfService Plus is commonly internet-facing as a self-service password reset portal. Attackers identify exposed instances via Shodan or direct scanning for the ManageEngine portal interface.

2

Authentication Bypass to REST API

Attacker sends a crafted request to a protected REST API endpoint with a URL path manipulation that bypasses the authentication filter. No credentials required.

3

JSP Webshell Upload

Using the unauthenticated API access, attacker uploads a JSP webshell (commonly the Godzilla webshell in observed campaigns) to a web-accessible directory on the server.

4

Code Execution as ManageEngine Service Account

Attacker accesses the uploaded webshell via HTTP, achieving code execution with the privileges of the ManageEngine process, typically a high-privilege AD service account.

5

Domain Compromise via PetitPotam or Credential Harvest

APT41 cluster used PetitPotam to coerce NTLM authentication from the DC and relay it to AD CS for full domain compromise. Others directly harvested AD credentials stored in ADSelfService Plus configuration.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Why ADSelfService Plus Access Leads to Domain Compromise

ManageEngine ADSelfService Plus is AD-integrated by design. The server's service account typically holds permissions to:

  • Read all user and computer attributes from Active Directory
  • Unlock accounts and reset passwords for all domain users
  • Query and enumerate AD groups and organizational units

Additionally, ADSelfService Plus stores AD administrator credentials in its configuration database for the purpose of performing password resets. Dumping this configuration file from a compromised server yields credentials with AD admin-level permissions.

Detection

Key indicators for CVE-2021-40539 exploitation:

Subscribe to unlock Indicators of Compromise

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Remediation

Priority actions:

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

CVE-2021-40539 is a case study in why self-service password reset portals are among the highest-value attack targets in enterprise environments, they are internet-facing by design, AD-integrated by requirement, and carry the implicit trust of an identity management system. Any ManageEngine ADSelfService Plus instance that was internet-facing before the September 2021 patch should be treated as potentially compromised and subjected to full forensic review, including examination of web directories, AD audit logs, and service account activity.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

What is CVE-2021-40539?

CVE-2021-40539 is a critical authentication bypass vulnerability in ManageEngine ADSelfService Plus that allows unauthenticated attackers to access protected REST API endpoints and upload a malicious JSP file, achieving remote code execution on the server with the privileges of the ManageEngine application process.

Why is ADSelfService Plus a high-value target?

ManageEngine ADSelfService Plus is an enterprise self-service password reset and single sign-on portal directly integrated with Active Directory and LDAP. Compromising it gives attackers access to stored AD credentials, the ability to reset any user's password, and a foothold in a system with significant AD privileges, making it an ideal pivot point for full domain compromise.

Is CVE-2021-40539 the same as CVE-2022-47966 (the ManageEngine SAML RCE)?

No. CVE-2021-40539 affects only ManageEngine ADSelfService Plus and exploits an authentication bypass in the REST API. CVE-2022-47966 is a separate vulnerability affecting 24 different ManageEngine products via an Apache Santuario XML signature validation flaw. Both are critical, both have been exploited by APTs, and both require independent patching.

What is the Godzilla webshell and why does APT41 use it?

Godzilla is a Java-based webshell framework developed by Chinese security researchers and widely adopted by APT41 and other Chinese threat actors. It differs from basic webshells because all communications between the attacker and the webshell are AES-encrypted with a key embedded in the webshell configuration, making the traffic appear as opaque binary data to network intrusion detection systems. Godzilla supports multiple scripting backends (Java, PHP, .NET) and provides an interactive console interface rather than a simple command execution form. Its AES encryption specifically defeats signature-based detection of common webshell traffic patterns, while its modular design supports extension with custom plugins for credential dumping, pivoting, and port forwarding.

Why do multiple APT clusters simultaneously target the same ManageEngine vulnerability?

High-profile enterprise software vulnerabilities like CVE-2021-40539 attract concurrent exploitation by multiple independent threat actors because they share common characteristics: they are internet-facing, widely deployed in high-value organizations, and provide immediate high-privilege access. Chinese APT groups (APT41, APT10 cluster variants) maintain independent vulnerability research programs and monitor CISA advisories and security publications closely. When a vulnerability provides access to an AD-integrated system with password-reset capabilities, multiple groups assess it as a priority target independently. The overlap of exploitation campaigns from multiple clusters within weeks of disclosure is now standard for critical enterprise vulnerabilities.

What specific post-exploitation activities did APT41 conduct after exploiting CVE-2021-40539?

According to CISA Advisory AA21-259A and Unit 42 reporting, APT41's post-exploitation activities following CVE-2021-40539 exploitation included: deploying the Godzilla webshell for persistent interactive access; installing the SIDEWALK backdoor, a modular implant with HTTPS C2 using Google Forms as a communication channel; deploying NeoIcedoor for additional persistence; conducting Active Directory enumeration using the ManageEngine service account's AD read permissions; and extracting stored credentials from the ADSelfService Plus configuration database. PetitPotam NTLM relay was used by a second cluster to escalate from ManageEngine server access to full domain compromise by coercing DC authentication and relaying to AD Certificate Services.

Sources & references

  1. CISA Advisory AA21-259A, APT Actors Exploiting CVE-2021-40539
  2. Zoho ManageEngine Security Advisory
  3. Unit 42, Threat Brief: CVE-2021-40539
  4. NVD, CVE-2021-40539

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Related Questions: Answer Hub

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.