Zoho fixes ADSelfService Plus vulnerability

A security advisory released by the US Cybersecurity agency CISA warns that hackers are taking advantage of a vulnerability in Zoho’s ManageEngine ADSelfService Plus password management service that enables them to hijack the system.

ADSelfService Plus

The vulnerability has been tracked as CVE-2021-40539 and has been ranked as high-severity one because remote, unauthenticated attackers may exploit it to run arbitrary code on a vulnerable system and, in this way, gain full control of it.

ADSelfService Plus is a solution that targets bigger companies who need an integrated, self-service password management for Active Directory and Cloud applications.

All users who have a version of ADSelfService Plus older than 6114 are strongly encouraged to install the latest development updates through the service pack.

Evidence of exploits in the wild

According to the CISA’s advisory, Zoho has issued a security notice that is addressing the problem in ADSelfService Plus and a patch with a fix for it.

The company claims that it is observing evidence of this vulnerability being exploited in the wild and recommends its customers to take the necessary actions to patch it.

The CISA notification regarding CVE-2021-40539 is explicit, as the agency notes that this vulnerability has been actively exploited.

More details regarding the vulnerability are hard to find at this point but Zoho has categorized the flaw as “critical” although the U.S. National Institute of Standards and Technology has not come up with an official severity score. According to the company, this is an authentication bypass vulnerability that may lead to remote code execution in REST API URLs.

Since the beginning of this year, Zoho’s ManageEngine ADSelfService Plus has reported four critical security vulnerabilities with  CVE-2021-40539 being the fifth one in line. The other four flaws have been tracked as follows:

  • CVE-2021-37421 – Zoho ManageEngine ADSelfService Plus 6103 and previous access-restriction bypass in the admin interface.
  • CVE-2021-37417 – CAPTCHA bypass caused by incorrect parameter validation in Zoho ManageEngine ADSelfService Plus 6103 and previous build.
  • CVE-2021-33055 – non-English Zoho ManageEngine ADSelfService Plus versions through 6102 with detected unauthenticated remote code execution.
  • CVE-2021-28958 – a remote code execution vulnerability in all Zoho ManageEngine ADSelfService Plus versions up to 6101 when changing the password.


About the author

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment