Quote:A critical security vulnerability in the Zoho ManageEngine ADSelfService Plus platform could allow remote attackers to bypass authentication and have free rein across users’ Active Directory (AD) and cloud accounts. The issue (CVE-2021-40539) has been actively exploited in the wild as a zero-day, according to the Cybersecurity and Infrastructure Security Agency (CISA).
 
Zoho issued a patch on Tuesday, and CISA warned that admins should not only apply it immediately, but also ensure in general that ADSelfService Plus is not directly accessible from the internet. The issue affects builds 6113 and below (the fixed version is 6114).
 
The Zoho ManageEngine ADSelfService Plus is a self-service password management and single sign-on (SSO) solution for AD and cloud apps, meaning that any cyberattacker able to take control of the platform would have multiple pivot points into both mission-critical apps (and their sensitive data) and other parts of the corporate network via AD. It is, in other words, a powerful, highly privileged application which can act as a convenient point-of-entry to areas deep inside an enterprise’s footprint for both users and attackers alike.
 
“Ultimately, this underscores the threat posed to internet-facing applications,” Matt Dahl, principal intelligence analyst for Crowdstrike, noted. “These don’t always get the same attention as exploit docs with decoy content, but the variety of these web-facing services gives actors lots of options.”