Security News > 2021 > September > Zoho patches actively exploited critical ADSelfService Plus bug

The U.S. Cybersecurity and Infrastructure Security Agency is warning that hackers are exploiting a critical vulnerability in Zoho's ManageEngine ADSelfService Plus password management solution that allows them to take control of the system.

Zoho has published a security advisory to announce that an update that patches the bug is currently available for ADSelfService Plus.

CVE-2021-37421 - admin portal access-restriction bypass in Zoho ManageEngine ADSelfService Plus 6103 and earlier.

CVE-2021-37417 - CAPTCHA bypass due to improper parameter validation in Zoho ManageEngine ADSelfService Plus build 6103 and earlier.

CVE-2021-33055 - unauthenticated remote code execution in non-English editions affecting Zoho ManageEngine ADSelfService Plus through 6102.

CVE-2021-28958 - unauthenticated remote code execution while changing the password in all Zoho ManageEngine ADSelfService Plus builds up to 6101.

News URL

https://www.bleepingcomputer.com/news/security/zoho-patches-actively-exploited-critical-adselfservice-plus-bug/