CISA has released an alert regarding a new, critical zero-day vulnerability affecting Zoho ManageEngine servers.
Related: Three New Zero-Days Disclosed in Kaseya Unitrends
More specifically, an authentication bypass flaw affects the REST API URLs in ADSelfService Plus, which could lead to remote code execution, if exploited successfully. The zero-day has been identified as CVE-2021-40539.
CVE-2021-40539 Zero-Day in Zoho ManageEngine
Following the disclosure, Zoho has released a security update addressing the flaw. The flaw itself affects ManageEngine ADSelfService Plus builds 6113 and below.
According to Zoho’s advisory, the zero-day “allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request. This would allow the attacker to carry out subsequent attacks resulting in RCE.”
What Is ManageEngine ADSelfService Plus?
This is a self-service password management and single sign-on solution for Active Directory and cloud apps. “CISA strongly urges organizations ensure ADSelfService Plus is not directly accessible from the internet,” the researchers alerted.
Users and administrators are encouraged to relate to Zoho’s advisory for further details, and to update to ADSelfService Plus build 6114.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: