The vulnerability stems from a flaw in a third‑party dependency that allows an attacker to execute arbitrary commands inside the agent processes of Zohocorp ManageEngine services. The flaw is classified as a command injection (CWE‑77). Successfully exploited, the attacker can compromise the integrity of the affected systems, gaining full control over the compromised agent machines and potentially enabling lateral movement within the environment.

The affected products are ManageEngine ADSelfService Plus (all releases prior to 6525), ManageEngine DataSecurity Plus (prior to 6264), and ManageEngine RecoveryManager Plus (prior to 6313). The issue applies to all installations of these products, regardless of geographic location or deployment model.

The CVSS score of 8.4 indicates high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, but these factors do not reduce the potential impact. The attack requires authenticated access to the agent, indicating that the attacker must supply valid credentials that are accepted by the agent. The vulnerability can be exercised over the network between the central server and the agent machines, meaning an outsider who gains credentials (perhaps via phishing or weak password policies) can remotely trigger arbitrary code execution on the agent side.