Zoho’s Critical ADSelfService Plus Bug Was Patched
CISA Warned About the Possibility of Exploiting a Critical Vulnerability in Zoho’s ManageEngine ADSelfService Plus.
The vulnerability in question is allowing the malicious actors to take control of the system.
ADSelfService Plus is designed for larger companies that require a single sign-on solution for Active Directory and cloud apps as well as integrated self-service password management.
CVE-2021-40539 was attributed to the flaw, which is deemed serious since it allows an unauthenticated remote attacker to execute arbitrary code on a susceptible machine.
A Patch Is Now Available
Zoho published a security advisory and announced that an update able to patch the bug is currently available for ADSelfService Plus.
The company disclosed that it was “noticing indications of this vulnerability being exploited” in the wild, but the alert coming to form CISA was clear regarding this concern, as it informed that “CVE-2021-40539 has been detected in exploits in the wild.”
At the time we are writing this article not a lot of information about the vulnerability is available.
It is important to note that a severity score was not calculated yet by the National Institute of Standards and Technology in the U.S. but the company considers the issue to be critical:
An authentication bypass vulnerability affecting REST API URLs, that could result in remote code execution.
ADSelfService Plus builds previous to 6114 used by any Organization should be immediately updated to the latest version available.
This is not the first vulnerability reported in Zoho ManageEngine ADSelfService Plus. The CVE-2021-40539 is the fifth critical vulnerability reported this year.
Other reported vulnerabilities found in Zoho ManageEngine ADSelfService Plus were:
- CVE-2021-37421 – admin portal access-restriction bypass in Zoho ManageEngine ADSelfService Plus 6103 and earlier.
- CVE-2021-37417 – CAPTCHA bypass due to improper parameter validation in Zoho ManageEngine ADSelfService Plus build 6103 and earlier.
- CVE-2021-33055 – unauthenticated remote code execution in non-English editions affecting Zoho ManageEngine ADSelfService Plus through 6102.
- CVE-2021-28958 – unauthenticated remote code execution while changing the password in all Zoho ManageEngine ADSelfService Plus builds up to 6101.