On 7 September 2021, Zoho released a security update for a critical vulnerability affecting Zoho ManageEngine ADSelfService Plus. The flaw is currently used by threat actors and we recommend applying the latest updates as soon as possible.
- The flaw, tracked as CVE-2021-40539, is a critical authentication bypass vulnerability. It allows unauthorized access to Zoho’s MangeEngine ADSelfService Plus password management solution through REST API endpoints.
- A threat actor would need to send a specially-crafted request to achieve remote code execution on the system. The flaw affects ADSelfService Plus builds 6113 and below which are exposed to the internet.
- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that threat actors are taking advantage of the systems accessible from the internet that are vulnerable to this flaw.
- We recommend following Zoho’s guidance and updating the ADSelfService Plus to the latest build, 6114, using the service pack.
- If external access to this service is not required, prevent access to ADSelfService Plus from the internet to reduce the risk.