ManageEngine Access Manager Plus Authentication Bypass (CVE-2021-44676)

critical Nessus Plugin ID 159572


A privileged session management software is affected by an authentication bypass vulnerability.


The ManageEngine Access Manager Plus running on the remote host is affected by an authentication bypass vulnerability. An unauthenticated, remote attacker can exploit this, via a specially crafted message, to invoke an authenticated Java servlet.


Upgrade to Access Manager Plus build 4203 or later.

See Also

Plugin Details

Severity: Critical

ID: 159572

File Name: manageengine_access_manager_plus_cve-2021-44676.nbin

Version: 1.41

Type: remote

Family: CGI abuses

Published: 4/7/2022

Updated: 5/20/2024

Supported Sensors: Nessus

Risk Information


Risk Factor: Medium

Score: 5.9


Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2021-44676


Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:zohocorp:manageengine_access_manager_plus

Required KB Items: installed_sw/ManageEngine Access Manager Plus

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Patch Publication Date: 12/4/2021

Vulnerability Publication Date: 12/5/2021

Reference Information

CVE: CVE-2021-44676