The Cybersecurity & Infrastructure Security Agency (CISA) alerted users and administrators to a critical vulnerability in the popular password and single sign-on manager, ManageEngine ADSelfService Plus by Zoho Corp. Users of the software are advised to execute the latest update to build 6114.
According to ManageEngine’s Security Advisory, the update will address the authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus. In its summary, the division noted: “This vulnerability allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request. This would allow the attacker to carry out subsequent attacks resulting in RCE [Remote Code Execution].” – a critical issue that could result in full control of a system for any unpatched ADSelfService Plus customers.
Reports detail that the vulnerability had been exploited for over a week. However, intelligence analysts speculate that the attacks might have happened earlier. This marks the fifth security vulnerability in ManageEngine ADSelfService Plus, three of which scored a severity of 9.8. CVE-2021-40539 is currently awaiting severity analysis.