Zoho warns of zero-day authentication bypass flaw actively exploited

Zoho urges customers to address an authentication bypass vulnerability in its ManageEngine ADSelfService Plus that is actively exploited in the wild.

Zoho has released a security patch to address an authentication bypass vulnerability, tracked as CVE-2021-40539, in its ManageEngine ADSelfService Plus. The company also warns the vulnerability is already exploited in attacks in the wild.

The vulnerability resides in the REST API URLs in ADSelfService Plus and could lead to remote code execution (RCE).

“We have addressed an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus. This article provides more information on the issue and how to resolve it.” reads the advisory published by the company. “This vulnerability allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request. This would allow the attacker to carry out subsequent attacks resulting in RCE.”

“This is a critical issue. We are noticing indications of this vulnerability being exploited,” Zoho added.

The flaw affects ADSelfService Plus 6113 release and prior, the flaw was addressed with the release of build 6114 or later.

In order to determine if an install is vulnerable, it is possible to check the presence of the following string in the access log entries available in the \ManageEngine\ADSelfService Plus\logs folder:

/RestAPI/LogonCustomization
/RestAPI/Connection

US CISA also published a security advisory about the CVE-2021-40539 vulnerability.

“Zoho has released a security update on a vulnerability (CVE-2021-40539) affecting ManageEngine ADSelfService Plus builds 6113 and below. CVE-2021-40539 has been detected in exploits in the wild. A remote attacker could exploit this vulnerability to take control of an affected system. ManageEngine ADSelfService Plus is a self-service password management and single sign-on solution for Active Directory and cloud apps.” reads CISA’s advisory “Additionally, CISA strongly urges organizations ensure ADSelfService Plus is not directly accessible from the internet.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Zoho)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.