[Fixed] SQL Injection in Orchestration Database Operations Leading to RCE (ZVE-2026-1941) - ManageEngine ADManager Plus

Vulnerability Details
Severity	High
ZVE ID	ZVE-2026-1941
Affected software versions	Build 8041 and older
Fixed version	Build 8042
Fixed on	April 22, 2026

Details

ZVE-2026-1941 refers to a SQL Injection vulnerability in the Orchestration Database Operations component of ADManager Plus. Improper handling of user-supplied input in database query fields allowed authenticated users to inject malicious SQL queries.

An attacker with permissions to create and run automation workflows could manipulate inputs in the Column Value and Where Criteria fields to execute arbitrary SQL commands. This could result in unauthorized data access and potential execution of system-level commands in environments where dangerous database procedures are enabled.

Impact

This vulnerability could allow an authenticated adversary to:

• Perform unauthorized data manipulation (INSERT, UPDATE, DELETE).
• Access sensitive data from any database table.
• Execute arbitrary SQL queries using UNION-based injection
• Achieve Remote Code Execution (RCE) via database features such as xp_cmdshell (if enabled).
• Escalate privileges by creating high-privileged database accounts.
• Access full SQL queries exposed in application responses.

Fix

This issue has been resolved in ADManager Plus build 8042 by enforcing strict input validation and parameterization of database queries within the Orchestration Database Operations component, thereby preventing execution of malicious SQL statements.

Steps to update

Update your ADManager Plus instance to the latest build by installing the service pack.

Acknowledgement

This vulnerability was reported by khanh nguyen via Zoho's Bug Bounty program.