Security News > 2020 > August > Critical ManageEngine ADSelfService Plus RCE flaw patched
A critical vulnerability in ManageEngine ADSelfService Plus, an Active Directory password-reset solution, could allow attackers to remotely execute commands with system level privileges on the target Windows host.
ManageEngine ADSelfService Plus is developed by ManageEngine, a division of Zoho Corporation, a software development company that focuses on web-based business tools and information technology.
"ADSelfService Plus supports self-service password reset for WFH and remote users by enabling users to reset Windows password from their own machines and updating the cached credentials through a VPN client," the company touts.
"A security alert can/will be triggered when 'an unauthenticated attacker having physical access to the host issues a self-signed SSLcertificate to the client'. Or, 'a self-signed SSLcertificate is configured on ADSelfService Plus server'," he noted.
Admins are advised to upgrade to ADSelfService Plus build 6003, which contains the complete security fix.
News URL
http://feedproxy.google.com/~r/HelpNetSecurity/~3/kEOwg1VLhWc/
Related news
- Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices (source)
- HPE warns of critical RCE flaws in Aruba Networking access points (source)
- Critical Veeam RCE bug now used in Frag ransomware attacks (source)
- Palo Alto Networks warns of critical RCE zero-day exploited in attacks (source)
- Critical RCE bug in VMware vCenter Server now exploited in attacks (source)
- Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble (source)
- Veeam warns of critical RCE bug in Service Provider Console (source)
- Exploit released for critical WhatsUp Gold RCE flaw, patch now (source)
- Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console (source)
- PoC exploit for critical WhatsUp Gold RCE vulnerability released (CVE-2024-8785) (source)