Share this article on:
A critical vulnerability has been identified in the Zoho ManageEngine ADSelfService Plus self-service password management and single sign-on (SSO) solution which is being exploited in the wild and have been for some time. A patch has now been issued to fix the vulnerability, which should be applied immediately to prevent exploitation of the flaw.
The vulnerability, tracked as CVE-2021-40539, is an authentication bypass flaw that can be remotely exploited by an attacker to gain control of Active Directory (AD) and cloud accounts and, from there, pivot to other parts of the network. At present no CVSS score has been assigned to the vulnerability, but it has been rated critical.
According to the ManageEngine security advisory, “This vulnerability allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request. This would allow the attacker to carry out subsequent attacks resulting in RCE.”
The vulnerability has been corrected in the latest build – 6114 – of the solution. In addition to updating to the latest version, it is strongly recommended not to expose ADSelfService Plus to the Internet.
If it is suspected that the flaw has already been exploited, evidence can be found in the app’s logs. Look for /RestAPI/LogonCustomization or /RestAPI/Connection and if either of those entries are found, it indicates the flaw has already been exploited.
Other indicators of compromise include the prescence of service.cer in the \ManageEngine\ADSelfService Plus\bin folder or ReportGenerate.jsp in the \ManageEngine\ADSelfService Plus\help\admin-guide\Reports folder.