Security News > 2021 > September > Zoho patches actively exploited critical ADSelfService Plus bug

Zoho patches actively exploited critical ADSelfService Plus bug
2021-09-08 19:36

The U.S. Cybersecurity and Infrastructure Security Agency is warning that hackers are exploiting a critical vulnerability in Zoho's ManageEngine ADSelfService Plus password management solution that allows them to take control of the system.

Zoho has published a security advisory to announce that an update that patches the bug is currently available for ADSelfService Plus.

CVE-2021-37421 - admin portal access-restriction bypass in Zoho ManageEngine ADSelfService Plus 6103 and earlier.

CVE-2021-37417 - CAPTCHA bypass due to improper parameter validation in Zoho ManageEngine ADSelfService Plus build 6103 and earlier.

CVE-2021-33055 - unauthenticated remote code execution in non-English editions affecting Zoho ManageEngine ADSelfService Plus through 6102.

CVE-2021-28958 - unauthenticated remote code execution while changing the password in all Zoho ManageEngine ADSelfService Plus builds up to 6101.


News URL

https://www.bleepingcomputer.com/news/security/zoho-patches-actively-exploited-critical-adselfservice-plus-bug/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-08-30 CVE-2021-37421 Insufficient Verification of Data Authenticity vulnerability in Zohocorp Manageengine Adselfservice Plus
Zoho ManageEngine ADSelfService Plus 6103 and prior is vulnerable to admin portal access-restriction bypass.
network
low complexity
zohocorp CWE-345
critical
 9.8
9.8
2021-08-30 CVE-2021-37417 Improper Authentication vulnerability in Zohocorp Manageengine Adselfservice Plus
Zoho ManageEngine ADSelfService Plus version 6103 and prior allows CAPTCHA bypass due to improper parameter validation.
network
low complexity
zohocorp CWE-287
critical
 9.8
9.8
2021-08-30 CVE-2021-33055 OS Command Injection vulnerability in Zohocorp Manageengine Adselfservice Plus
Zoho ManageEngine ADSelfService Plus through 6102 allows unauthenticated remote code execution in non-English editions.
network
low complexity
zohocorp CWE-78
critical
 9.8
9.8
2021-06-25 CVE-2021-28958 OS Command Injection vulnerability in Zohocorp Manageengine Adselfservice Plus
Zoho ManageEngine ADSelfService Plus through 6101 is vulnerable to unauthenticated Remote Code Execution while changing the password.
network
low complexity
zohocorp CWE-78
critical
 9.8
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Zoho 5 0 3 5 0 8