09.09.2021 Zoho Update Fixes Actively Exploited Vulnerability

by Elena Lapina

On 7 September 2021, Zoho released a security update for a critical vulnerability affecting Zoho ManageEngine ADSelfService Plus. The flaw is currently used by threat actors and we recommend applying the latest updates as soon as possible.


  • The flaw, tracked as CVE-2021-40539, is a critical authentication bypass vulnerability. It allows unauthorized access to Zoho’s MangeEngine ADSelfService Plus password management solution through REST API endpoints.
  • A threat actor would need to send a specially-crafted request to achieve remote code execution on the system. The flaw affects ADSelfService Plus builds 6113 and below which are exposed to the internet.
  • The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that threat actors are taking advantage of the systems accessible from the internet that are vulnerable to this flaw.


  • We recommend following Zoho’s guidance and updating the ADSelfService Plus to the latest build, 6114, using the service pack.
  • If external access to this service is not required, prevent access to ADSelfService Plus from the internet to reduce the risk.



Request Demo

Fill out the form and we will send you details about our demo.