Heimdal Security Blog

Zoho’s Critical ADSelfService Plus Bug Was Patched

  • Dora Tudor

    • The vulnerability in question is allowing the malicious actors to take control of the system.

    ADSelfService Plus is designed for larger companies that require a single sign-on solution for Active Directory and cloud apps as well as integrated self-service password management.

    CVE-2021-40539 was attributed to the flaw, which is deemed serious since it allows an unauthenticated remote attacker to execute arbitrary code on a susceptible machine.

    A Patch Is Now Available

    Zoho published a security advisory and announced that an update able to patch the bug is currently available for ADSelfService Plus.

    The company disclosed that it was “noticing indications of this vulnerability being exploited” in the wild, but the alert coming to form CISA was clear regarding this concern, as it informed that “CVE-2021-40539 has been detected in exploits in the wild.”

    At the time we are writing this article not a lot of information about the vulnerability is available.

    It is important to note that a severity score was not calculated yet by the National Institute of Standards and Technology in the U.S. but the company considers the issue to be critical:

    An authentication bypass vulnerability affecting REST API URLs, that could result in remote code execution.

    Source

    ADSelfService Plus builds previous to 6114 used by any Organization should be immediately updated to the latest version available.

    This is not the first vulnerability reported in Zoho ManageEngine ADSelfService Plus. The CVE-2021-40539 is the fifth critical vulnerability reported this year.

    Other reported vulnerabilities found in Zoho ManageEngine ADSelfService Plus were:

    Related Articles: