A security advisory released by the US Cybersecurity agency CISA warns that hackers are taking advantage of a vulnerability in Zoho’s ManageEngine ADSelfService Plus password management service that enables them to hijack the system.
The vulnerability has been tracked as CVE-2021-40539 and has been ranked as high-severity one because remote, unauthenticated attackers may exploit it to run arbitrary code on a vulnerable system and, in this way, gain full control of it.
ADSelfService Plus is a solution that targets bigger companies who need an integrated, self-service password management for Active Directory and Cloud applications.
All users who have a version of ADSelfService Plus older than 6114 are strongly encouraged to install the latest development updates through the service pack.
Evidence of exploits in the wild
According to the CISA’s advisory, Zoho has issued a security notice that is addressing the problem in ADSelfService Plus and a patch with a fix for it.
The company claims that it is observing evidence of this vulnerability being exploited in the wild and recommends its customers to take the necessary actions to patch it.
The CISA notification regarding CVE-2021-40539 is explicit, as the agency notes that this vulnerability has been actively exploited.
More details regarding the vulnerability are hard to find at this point but Zoho has categorized the flaw as “critical” although the U.S. National Institute of Standards and Technology has not come up with an official severity score. According to the company, this is an authentication bypass vulnerability that may lead to remote code execution in REST API URLs.
Since the beginning of this year, Zoho’s ManageEngine ADSelfService Plus has reported four critical security vulnerabilities with CVE-2021-40539 being the fifth one in line. The other four flaws have been tracked as follows:
- CVE-2021-37421 – Zoho ManageEngine ADSelfService Plus 6103 and previous access-restriction bypass in the admin interface.
- CVE-2021-37417 – CAPTCHA bypass caused by incorrect parameter validation in Zoho ManageEngine ADSelfService Plus 6103 and previous build.
- CVE-2021-33055 – non-English Zoho ManageEngine ADSelfService Plus versions through 6102 with detected unauthenticated remote code execution.
- CVE-2021-28958 – a remote code execution vulnerability in all Zoho ManageEngine ADSelfService Plus versions up to 6101 when changing the password.