CVE-2021-40539: ManageEngine ADSelfService Plus Authentication Bypass and RCE
A REST API authentication bypass in ManageEngine ADSelfService Plus that APT41 and other threat actors exploited to compromise defense contractors, critical infrastructure, and academic institutions, dropping Godzilla webshells and deploying PetitPotam for full domain compromise

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
CVE-2021-40539 is a critical authentication bypass and remote code execution vulnerability in ManageEngine ADSelfService Plus, patched in September 2021. The flaw allowed unauthenticated attackers to send requests to REST API endpoints that should require authentication, then upload a malicious JSP file to achieve code execution on the server. CISA, FBI, and CGCYBER issued a joint advisory confirming exploitation by APT41 and at least two other threat actor clusters against U.S. defense contractors, academic institutions, and critical infrastructure operators. The product's deep Active Directory integration made every compromised instance a potential full-domain-compromise launchpad.
Vulnerability Details: REST API Authentication Bypass
ManageEngine ADSelfService Plus exposes a REST API for administrative operations and integrations. The authentication bypass in CVE-2021-40539 allows an attacker to access specific protected API endpoints, particularly those related to custom certificate and application configuration, by manipulating the URL path in a way that bypasses the authentication filter.
With access to the unprotected API endpoint, an attacker can upload a file to the server filesystem. By uploading a JSP webshell to a web-accessible directory and then requesting it via the web interface, the attacker achieves code execution with the privileges of the ManageEngine service account, typically a highly privileged AD service account.
APT41 and the Godzilla Webshell Campaign
Unit 42 and CISA documented at least three distinct threat actor clusters exploiting CVE-2021-40539 within weeks of disclosure:
APT41 (also tracked as Winnti, BARIUM, Double Dragon): The Chinese state-sponsored group deployed their signature Godzilla webshell, a Java-based webshell with AES encryption for C2 communications that evades many signature-based detection systems. Post-exploitation included deployment of the SIDEWALK backdoor (a modular implant with C2 over HTTPS) and NeoIcedoor.
Second cluster: Deployed the PetitPotam NTLM relay attack against the compromised server's local Active Directory Certificate Services, escalating from ADSelfService Plus compromise to full domain compromise by coercing the DC to authenticate and relaying to AD CS for a domain controller certificate.
Third cluster: Focused on lateral movement and data exfiltration using the initial webshell access to pivot to connected internal systems.
Identify Internet-Facing ADSelfService Plus Instance
ADSelfService Plus is commonly internet-facing as a self-service password reset portal. Attackers identify exposed instances via Shodan or direct scanning for the ManageEngine portal interface.
Authentication Bypass to REST API
Attacker sends a crafted request to a protected REST API endpoint with a URL path manipulation that bypasses the authentication filter. No credentials required.
JSP Webshell Upload
Using the unauthenticated API access, attacker uploads a JSP webshell (commonly the Godzilla webshell in observed campaigns) to a web-accessible directory on the server.
Code Execution as ManageEngine Service Account
Attacker accesses the uploaded webshell via HTTP, achieving code execution with the privileges of the ManageEngine process, typically a high-privilege AD service account.
Domain Compromise via PetitPotam or Credential Harvest
APT41 cluster used PetitPotam to coerce NTLM authentication from the DC and relay it to AD CS for full domain compromise. Others directly harvested AD credentials stored in ADSelfService Plus configuration.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Why ADSelfService Plus Access Leads to Domain Compromise
ManageEngine ADSelfService Plus is AD-integrated by design. The server's service account typically holds permissions to:
- Read all user and computer attributes from Active Directory
- Unlock accounts and reset passwords for all domain users
- Query and enumerate AD groups and organizational units
Additionally, ADSelfService Plus stores AD administrator credentials in its configuration database for the purpose of performing password resets. Dumping this configuration file from a compromised server yields credentials with AD admin-level permissions.
Detection
Key indicators for CVE-2021-40539 exploitation:
Subscribe to unlock Indicators of Compromise
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Remediation
Priority actions:
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The bottom line
CVE-2021-40539 is a case study in why self-service password reset portals are among the highest-value attack targets in enterprise environments, they are internet-facing by design, AD-integrated by requirement, and carry the implicit trust of an identity management system. Any ManageEngine ADSelfService Plus instance that was internet-facing before the September 2021 patch should be treated as potentially compromised and subjected to full forensic review, including examination of web directories, AD audit logs, and service account activity.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
What is CVE-2021-40539?
CVE-2021-40539 is a critical authentication bypass vulnerability in ManageEngine ADSelfService Plus that allows unauthenticated attackers to access protected REST API endpoints and upload a malicious JSP file, achieving remote code execution on the server with the privileges of the ManageEngine application process.
Why is ADSelfService Plus a high-value target?
ManageEngine ADSelfService Plus is an enterprise self-service password reset and single sign-on portal directly integrated with Active Directory and LDAP. Compromising it gives attackers access to stored AD credentials, the ability to reset any user's password, and a foothold in a system with significant AD privileges, making it an ideal pivot point for full domain compromise.
Is CVE-2021-40539 the same as CVE-2022-47966 (the ManageEngine SAML RCE)?
No. CVE-2021-40539 affects only ManageEngine ADSelfService Plus and exploits an authentication bypass in the REST API. CVE-2022-47966 is a separate vulnerability affecting 24 different ManageEngine products via an Apache Santuario XML signature validation flaw. Both are critical, both have been exploited by APTs, and both require independent patching.
What is the Godzilla webshell and why does APT41 use it?
Godzilla is a Java-based webshell framework developed by Chinese security researchers and widely adopted by APT41 and other Chinese threat actors. It differs from basic webshells because all communications between the attacker and the webshell are AES-encrypted with a key embedded in the webshell configuration, making the traffic appear as opaque binary data to network intrusion detection systems. Godzilla supports multiple scripting backends (Java, PHP, .NET) and provides an interactive console interface rather than a simple command execution form. Its AES encryption specifically defeats signature-based detection of common webshell traffic patterns, while its modular design supports extension with custom plugins for credential dumping, pivoting, and port forwarding.
Why do multiple APT clusters simultaneously target the same ManageEngine vulnerability?
High-profile enterprise software vulnerabilities like CVE-2021-40539 attract concurrent exploitation by multiple independent threat actors because they share common characteristics: they are internet-facing, widely deployed in high-value organizations, and provide immediate high-privilege access. Chinese APT groups (APT41, APT10 cluster variants) maintain independent vulnerability research programs and monitor CISA advisories and security publications closely. When a vulnerability provides access to an AD-integrated system with password-reset capabilities, multiple groups assess it as a priority target independently. The overlap of exploitation campaigns from multiple clusters within weeks of disclosure is now standard for critical enterprise vulnerabilities.
What specific post-exploitation activities did APT41 conduct after exploiting CVE-2021-40539?
According to CISA Advisory AA21-259A and Unit 42 reporting, APT41's post-exploitation activities following CVE-2021-40539 exploitation included: deploying the Godzilla webshell for persistent interactive access; installing the SIDEWALK backdoor, a modular implant with HTTPS C2 using Google Forms as a communication channel; deploying NeoIcedoor for additional persistence; conducting Active Directory enumeration using the ManageEngine service account's AD read permissions; and extracting stored credentials from the ADSelfService Plus configuration database. PetitPotam NTLM relay was used by a second cluster to escalate from ManageEngine server access to full domain compromise by coercing DC authentication and relaying to AD Certificate Services.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
