Free Edition| Vulnerability details | |
| Severity | High |
| CVE ID | CVE-2026-2740 |
| Product details | |||
| Name | Affected version(s) | Fixed version(s) | Fixed on |
| ADSelfService Plus | 6524 and earlier | Build 6525 | 5 February 2026 |
| DataSecurity Plus | 6263 and earlier | Build 6264 | 13 February 2026 |
| RecoveryManager Plus | 6312 and earlier | Build 6313 | 24 March 2026 |
CVE-2026-2740 refers to a security vulnerability reported in ManageEngine ADSelfService Plus, RecoveryManager Plus, and DataSecurity Plus that could lead to an authenticated remote command execution vulnerability on client machines where the respective products' agent is installed. This vulnerability stems from improper access controls to the service used to install the following agents on client machines:
| Product | Agent affected |
| ADSelfService Plus | ADSelfService Plus login agent |
| RecoveryManager Plus | RecoveryManager Plus backup agent |
| DataSecurity Plus | DataSecurity Plus agent |
This vulnerability could only be exploited by authenticated domain users. Such a user could exploit this vulnerability by accessing the service communication channel between the server and client, and executing arbitrary commands on client machines.
This issue has been resolved by hardening access control to the service used for deploying the respective products' agents.
Download and apply the latest upgrade pack from the following links:
This issue was reported through the Zoho BugBounty program.
Please contact product support at the mail addresses mentioned below for further assistance. You can also contact our security team.
Need further assistance? Fill this form, and we'll contact you rightaway.
Allow Active Directory users to self-service their password resets and account unlock tasks, freeing them from lengthy help desk calls.
Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications using their Active Directory credentials.
Intimate Active Directory users of their impending password and account expiry via email and SMS notifications.
Synchronize Windows Active Directory user passwords and account changes across multiple systems automatically, including Microsoft 365, Google Workspace, IBM iSeries, and more.
Strong passwords resist various hacking threats. Enforce Active Directory users to adhere to compliant passwords by displaying password complexity requirements.
Enable Active Directory users to update their latest information themselves. Quick search features help admins scout for information using search keys like contact numbers.
