Free Edition| Vulnerability details | |
| Severity | High |
| CVE ID | CVE-2026-2740 |
| Product details | |||
| Name | Affected version(s) | Fixed version(s) | Fixed on |
| ADSelfService Plus | 6524 and earlier | Build 6525 | 7 February 2026 |
| DataSecurity Plus | 6263 and earlier | Build 6264 | 13 February 2026 |
| RecoveryManager Plus | 6312 and earlier | Build 6313 | 24 March 2026 |
CVE-2026-2740 refers to an authenticated remote command execution vulnerability reported in the remote agent installation workflow of ManageEngine ADSelfService Plus, RecoveryManager Plus, and DataSecurity Plus. Under certain conditions during agent installation on a client machine, a user with valid local credentials on that machine could execute arbitrary commands on it.
The agent deployed via the affected installation module for each product is listed below:
| Product | Agent affected |
| ADSelfService Plus | ADSelfService Plus login agent |
| RecoveryManager Plus | RecoveryManager Plus backup agent |
| DataSecurity Plus | DataSecurity Plus agent |
A successful exploit could allow a user with valid local credentials on a client machine to execute arbitrary commands on that machine during agent installation.
This issue has been resolved by hardening access control to the service used for deploying the respective products' agents.
Download and apply the latest upgrade pack from the following links:
This issue was reported through the Zoho BugBounty program.
Please contact product support at the mail addresses mentioned below for further assistance. You can also contact our security team.
Need further assistance? Fill this form, and we'll contact you rightaway.
Allow Active Directory users to self-service their password resets and account unlock tasks, freeing them from lengthy help desk calls.
Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications using their Active Directory credentials.
Intimate Active Directory users of their impending password and account expiry via email and SMS notifications.
Synchronize Windows Active Directory user passwords and account changes across multiple systems automatically, including Microsoft 365, Google Workspace, IBM iSeries, and more.
Strong passwords resist various hacking threats. Enforce Active Directory users to adhere to compliant passwords by displaying password complexity requirements.
Enable Active Directory users to update their latest information themselves. Quick search features help admins scout for information using search keys like contact numbers.
