New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


CISA Alerts Critical Security Update For Zoho’s ManageEngine ADSelfService Plus

The Cybersecurity & Infrastructure Security Agency (CISA) alerted users and administrators to a critical vulnerability in the popular password and single sign-on manager, ManageEngine ADSelfService Plus by Zoho Corp. Users of the software are advised to execute the latest update to build 6114.

According to ManageEngine’s Security Advisory, the update will address the authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus. In its summary, the division noted: “This vulnerability allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request. This would allow the attacker to carry out subsequent attacks resulting in RCE [Remote Code Execution].” – a critical issue that could result in full control of a system for any unpatched ADSelfService Plus customers.

Reports detail that the vulnerability had been exploited for over a week. However, intelligence analysts speculate that the attacks might have happened earlier. This marks the fifth security vulnerability in ManageEngine ADSelfService Plus, three of which scored a severity of 9.8. CVE-2021-40539 is currently awaiting severity analysis.

Analyst Notes

Last year, in a security advisory report, the NSA noted that internet-facing servers or web applications such as CMS, CMS plugins, CMS themes, CRMs, intranets, or other enterprise apps such as those from ZOHO corp were on the list of vulnerable applications commonly exploited to plant web shells (see Appendix H of the NSA report for Commonly Exploited Web Application Vulnerabilities). It is best practice to keep systems, services and applications updated with the latest patches to maintain a strong security posture.

Details on how to detect CVE-2021-40539 and how to update to ADSelfService Plus build 6114, go to ManageEngine’s Security Advisory.