CISA Warns of Actively Exploited Zoho ManageEngine ADSelfService Vulnerability


[![Zoho ManageEngine ADSelfService Vulnerability](https://thehackernews.com/images/-sCM6j8kvs2s/YTme1HWgMII/AAAAAAAADwM/Wyzei6Ccbz8Z4NBhBhEEtrtdCIkbrEkGwCLcBGAsYHQ/s728-e1000/zoho.jpg)](<https://thehackernews.com/images/-sCM6j8kvs2s/YTme1HWgMII/AAAAAAAADwM/Wyzei6Ccbz8Z4NBhBhEEtrtdCIkbrEkGwCLcBGAsYHQ/s0/zoho.jpg>) The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday issued a bulletin warning of a zero-day flaw affecting Zoho ManageEngine ADSelfService Plus deployments that is currently being actively exploited in the wild. The flaw, tracked as [CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539>), concerns a REST API authentication bypass that could lead to arbitrary remote code execution (RCE). ADSelfService Plus builds up to 6113 are impacted. ManageEngine ADSelfService Plus is an integrated self-service password management and a single sign-on solution for Active Directory and cloud apps, enabling admins to enforce two-factor authentication for application logins and users to reset their passwords. "CVE-2021-40539 has been detected in exploits in the wild. A remote attacker could exploit this vulnerability to take control of an affected system," CISA [said](<https://us-cert.cisa.gov/ncas/current-activity/2021/09/07/zoho-releases-security-update-adselfservice-plus>), urging companies to apply the latest security update to their ManageEngine servers and "ensure ADSelfService Plus is not directly accessible from the internet." "The exploitation of ManageEngine ADSelfService Plus poses a serious risk to critical infrastructure companies, U.S.-cleared defense contractors, academic institutions, and other entities that use the software," CISA [said](<https://us-cert.cisa.gov/ncas/alerts/aa21-259a>). "Successful exploitation of the vulnerability allows an attacker to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files." In an independent advisory, Zoho [cautioned](<https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html>) that it's a "critical issue" and that it's "noticing indications of this vulnerability being exploited." "This vulnerability allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request," the company said. "This would allow the attacker to carry out subsequent attacks resulting in RCE." CVE-2021-40539 is the fifth security weakness disclosed in ManageEngine ADSelfService Plus since the start of the year, three of which — [CVE-2021-37421](<https://nvd.nist.gov/vuln/detail/CVE-2021-37421>) (CVSS score: 9.8), [CVE-2021-37417](<https://nvd.nist.gov/vuln/detail/CVE-2021-37417>) (CVSS score: 9.8), and [CVE-2021-33055](<https://nvd.nist.gov/vuln/detail/CVE-2021-33055>) (CVSS score: 9.8) — were addressed in recent updates. A fourth vulnerability, [CVE-2021-28958](<https://nvd.nist.gov/vuln/detail/CVE-2021-28958>) (CVSS score: 9.8), was rectified in March 2021. This development also marks the second time a flaw in Zoho enterprise products has been actively exploited in real-world attacks. In March 2020, APT41 actors were [found](<https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html>) leveraging an RCE flaw in ManageEngine Desktop Central ([CVE-2020-10189](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189>), CVSS score: 9.8) to download and execute malicious payloads in corporate networks as part of a global intrusion campaign. Found this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter __](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.