Support
 
Phone Live Chat
 
Support
 
US: +1 888 720 9500
US: +1 800 443 6694
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9393

 
 
 
 
 
Security Updates

[Fixed] Authenticated command injection in test custom function (ZVE-2026-1981) - ManageEngine ADManager Plus

Vulnerability Details
Severity High
ZVE ID ZVE-2026-1981
Affected software versions Build 8041 and older
Fixed version Build 8042
Fixed on April 21, 2026

Details

ZVE-2026-1981 refers to an authenticated command injection vulnerability in the /api/json/admin/testCustomScript endpoint of ADManager Plus. Improper handling of user-supplied input in custom function testing allowed users to inject and execute arbitrary system commands on the server.

Users with Custom Functions privileges could exploit this issue by manipulating the ARGUMENTS parameter. Additionally, the functionality was accessible to lower-privileged roles (such as HR Associate), increasing the attack surface. This issue has been fixed in build 8042.

Impact

This vulnerability could allow an authenticated adversary to:

  • Execute arbitrary system commands on the server.
  • Escalate privileges due to insufficient access control.
  • Compromise the underlying system and application instance.
  • Access sensitive data or modify system configurations.

Fix

This issue has been resolved in ADManager Plus build 8042 by implementing strict input validation and sanitization of user-supplied parameters in the custom function testing endpoint, along with enforcing proper access controls to prevent execution of unauthorized system commands.

Steps to update

Update your ADManager Plus instance to the latest build by installing the service pack.

Acknowledgement

This vulnerability was reported by khanh nguyen via Zoho's Bug Bounty program.

 

Select a language to translate the contents of this web page:

Need further assistance?

Fill this form, and we'll contact you rightaway.

Request Support

  •  
  • *
     
  • *
     
  • *
     
  • By submitting you agree to processing of personal data according to the Privacy Policy.

"Thank you for submitting your request.

Our technical support team will get in touch with you at the earliest."

ADManager Plus Trusted By

The one-stop solution to Active Directory Management and Reporting
Email Download Link Email the ADManager Plus download link