The US Cybersecurity and Infrastructure Security Agency (CISA) warned about hackers exploiting a critical vulnerability in Zoho’s ManageEngine ADSelfService Plus, a popular password management solution.
Zoho’s ADSelfService Plus helps well-known and large-scale organizations with integrated self-service password management. It is a single sign-on solution for cloud and Active Directory apps.
“Zoho has released a security update on a vulnerability (CVE-2021-40539) affecting ManageEngine ADSelfService Plus builds 6113 and below. CVE-2021-40539 has been detected in exploits in the wild,” the CISA said.
This critical security issue, CVE-2021-40539, allowing an unauthenticated attacker access to the system. The attacker can then execute arbitrary code in the system.
According to the published security advisory by Zoho, an update for ADSelfService Plus to patch this bug is currently available. In the security notification this week, Zoho said that it is now “noticing indications of this vulnerability being exploited.”
The information of the CISA alert about the vulnerability is presently scarce. The US National Institute of Standards and Technology has not yet calculated its severity score. However, Zoho finds the issue to be critical.
“An authentication bypass vulnerability affecting REST API URLs, that could result in remote code execution,” the company said.
Zoho has urged organizations with ADSelfService Plus builds under 6114 to integrate this latest update and patch the bug. It is available in their service pack.
This year, Zoho has reported five critical cyber vulnerabilities in ManageEngine ADSelfService Plus with CVE-2021-40539 being the fifth.
Additionally, the CISA advises organizations to ensure ADSelfService Plus is not directly accessible from the Internet and urged administrators to review Zoho’s advisory for more information.