You are currently viewing Zoho Patches Critical Zero-day Flaw in its ADSelfService plus Exploited in The Wild

Zoho Patches Critical Zero-day Flaw in its ADSelfService plus Exploited in The Wild

Zoho recently published a security advisory to patch a remote code execution (RCE) vulnerability existing in Zoho ADSelfService plus. The vulnerability allows the execution of unauthenticated remote arbitrary code on the affected systems. As per the alert of the US Cyber Security and Infrastructure Security Agency (CISA), the vulnerability has been exploited in the wild.

Vulnerability Details

  • CVE-2021-40539: A remote code execution vulnerability exists in ADSelfService plus of Zoho

The flaw is assigned with the identifier CVE-2021-40539. The severity score is not yet calculated by NIST but is considered as Critical as it allows unauthenticated RCE on systems with vulnerable ADSelfService plus.

The vulnerability can be triggered by sending a specially crafted request to the REST API endpoint of ADSelfService plus. As a result, an attacker can perform unauthenticated RCE on the affected systems.

Way to Identify if the installation is affected

As per the advisory of Zoho Corp, look for access log entries with the following strings in \ManageEngine\ADSelfService Plus\log folder:

  1. /RestAPI/LogonCustomization
  2. /RestAPI/Connection

The system is affected if any of these entries are present in the logs

Affected Versions

Zoho ADSelfService plus versions before 6114.


A fix for this vulnerability has been released in version 6114 or later.

The vulnerable versions of ADSelfService plus are advised to be updated to the latest available release.

Subscribe For More Posts Like This

Get the latest research, best practices, industry trends and cybersecurity blogs from SecPod security experts

Invalid email address
We promise not to spam you. You can unsubscribe at any time.
5 1 vote
Article Rating
Notify of
Inline Feedbacks
View all comments