CISA Warns of Actively Exploited Zoho ManageEngine ADSelfService Vulnerability

Cyber Security

Products You May Like

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday issued a bulletin warning of a zero-day flaw affecting Zoho ManageEngine ADSelfService Plus deployments that is currently being actively exploited in the wild.

The flaw, tracked as CVE-2021-40539, concerns a REST API authentication bypass that could lead to arbitrary remote code execution (RCE). ADSelfService Plus builds up to 6113 are impacted.

ManageEngine ADSelfService Plus is an integrated self-service password management and a single sign-on solution for Active Directory and cloud apps, enabling admins to enforce two-factor authentication for application logins and users to reset their passwords.

“CVE-2021-40539 has been detected in exploits in the wild. A remote attacker could exploit this vulnerability to take control of an affected system,” CISA said, urging companies to apply the latest security update to their ManageEngine servers and “ensure ADSelfService Plus is not directly accessible from the internet.”

In an independent advisory, Zoho cautioned that it’s a “critical issue” and that it’s “noticing indications of this vulnerability being exploited.”

“This vulnerability allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request,” the company said. “This would allow the attacker to carry out subsequent attacks resulting in RCE.”

CVE-2021-40539 is the fifth security weakness disclosed in ManageEngine ADSelfService Plus since the start of the year, three of which — CVE-2021-37421 (CVSS score: 9.8), CVE-2021-37417 (CVSS score: 9.8), and CVE-2021-33055 (CVSS score: 9.8) — were addressed in recent updates. A fourth vulnerability, CVE-2021-28958 (CVSS score: 9.8), was rectified in March 2021.

This development also marks the second time a flaw in Zoho enterprise products has been actively exploited in real-world attacks. In March 2020, APT41 actors were found leveraging an RCE flaw in ManageEngine Desktop Central (CVE-2020-10189, CVSS score: 9.8) to download and execute malicious payloads in corporate networks as part of a global intrusion campaign.

Products You May Like

Articles You May Like

iOS 16 ‘Mailjack’ Bug Causes Mail App to Crash Upon Receiving Maliciously Crafted Email: All Details
Cyborg Cockroaches Powered by Solar Cells Could Help First Responders in Disaster Areas: Details
Google Pixel 7, Pixel 7 Pro Pre-Orders Start on October 6, Pixel Watch Launch Also Teased
Oppo Find X6 Series Tipped to Include 50-Megapixel Triple Rear Camera Setup
The Witcher: Blood Origin Sets December 25 Release Date at Netflix Tudum 2022

Leave a Reply

Your email address will not be published.