CISA has released an alert regarding a new, critical zero-day vulnerability affecting Zoho ManageEngine servers.
Related: Three New Zero-Days Disclosed in Kaseya Unitrends
More specifically, an authentication bypass flaw affects the REST API URLs in ADSelfService Plus, which could lead to remote code execution, if exploited successfully. The zero-day has been identified as CVE-2021-40539.
CVE-2021-40539 Zero-Day in Zoho ManageEngine
Following the disclosure, Zoho has released a security update addressing the flaw. The flaw itself affects ManageEngine ADSelfService Plus builds 6113 and below.
According to Zoho’s advisory, the zero-day “allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request. This would allow the attacker to carry out subsequent attacks resulting in RCE.”
What Is ManageEngine ADSelfService Plus?
This is a self-service password management and single sign-on solution for Active Directory and cloud apps. “CISA strongly urges organizations ensure ADSelfService Plus is not directly accessible from the internet,” the researchers alerted.
Users and administrators are encouraged to relate to Zoho’s advisory for further details, and to update to ADSelfService Plus build 6114.