Hernan Diaz

**Name of the Vulnerable Software and Affected Versions** Zoho ManageEngine ADSelfService Plus versions prior to 6122 **Description** The issue allows a remote authenticated administrator to execute arbitrary operating system commands as SYSTEM via the policy custom script feature. This can be exploited due to the use of a default administrator password, making it easier for attackers to abuse this functionality. Additionally, a remote and partially authenticated attacker may be able to inject arbitrary commands into the custom script due to an unsanitized password field, specifically the `password` field. This vulnerability can be exploited when a certain password sync feature is enabled, which uses passwords as script arguments, allowing for remote code execution via executable CMD.EXE input. **Recommendations** For versions prior to 6122, update to a version that includes the fix for this issue, specifically build 6122 or later, to prevent remote code execution. As a temporary workaround, consider disabling the policy custom script feature until a patch is available. Restrict access to the password sync feature that uses passwords as script arguments to minimize the risk of exploitation. Avoid using the `password` field in the custom script until the issue is resolved.