Security News > 2021 > September > CISA Warns of Actively Exploited Zoho ManageEngine ADSelfService Vulnerability

CISA Warns of Actively Exploited Zoho ManageEngine ADSelfService Vulnerability
2021-09-08 22:45

The U.S. Cybersecurity and Infrastructure Security Agency on Wednesday issued a bulletin warning of a zero-day flaw affecting Zoho ManageEngine ADSelfService Plus deployments that is currently being actively exploited in the wild.

ManageEngine ADSelfService Plus is an integrated self-service password management and a single sign-on solution for Active Directory and cloud apps, enabling admins to enforce two-factor authentication for application logins and users to reset their passwords.

"CVE-2021-40539 has been detected in exploits in the wild. A remote attacker could exploit this vulnerability to take control of an affected system," CISA said, urging companies to apply the latest security update to their ManageEngine servers and "Ensure ADSelfService Plus is not directly accessible from the internet."

In an independent advisory, Zoho cautioned that it's a "Critical issue" and that it's "Noticing indications of this vulnerability being exploited."

CVE-2021-40539 is the fifth security weakness disclosed in ManageEngine ADSelfService Plus since the start of the year, three of which - CVE-2021-37421, CVE-2021-37417, and CVE-2021-33055 - were addressed in recent updates.

This development also marks the second time a flaw in Zoho enterprise products has been actively exploited in real-world attacks.


News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/faDFTzIbhfQ/cisa-warns-of-actively-exploited-zoho.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-09-07 CVE-2021-40539 Use of Incorrectly-Resolved Name or Reference vulnerability in Zohocorp Manageengine Adselfservice Plus
Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution.
network
low complexity
zohocorp CWE-706
critical
9.8
2021-08-30 CVE-2021-37421 Insufficient Verification of Data Authenticity vulnerability in Zohocorp Manageengine Adselfservice Plus
Zoho ManageEngine ADSelfService Plus 6103 and prior is vulnerable to admin portal access-restriction bypass.
network
low complexity
zohocorp CWE-345
critical
9.8
2021-08-30 CVE-2021-37417 Improper Authentication vulnerability in Zohocorp Manageengine Adselfservice Plus
Zoho ManageEngine ADSelfService Plus version 6103 and prior allows CAPTCHA bypass due to improper parameter validation.
network
low complexity
zohocorp CWE-287
critical
9.8
2021-08-30 CVE-2021-33055 OS Command Injection vulnerability in Zohocorp Manageengine Adselfservice Plus
Zoho ManageEngine ADSelfService Plus through 6102 allows unauthenticated remote code execution in non-English editions.
network
low complexity
zohocorp CWE-78
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Manageengine 9 0 3 4 3 10
Zoho 4 0 3 4 0 7