Zoho recently published a security advisory to patch a remote code execution (RCE) vulnerability existing in Zoho ADSelfService plus. The vulnerability allows the execution of unauthenticated remote arbitrary code on the affected systems. As per the alert of the US Cyber Security and Infrastructure Security Agency (CISA), the vulnerability has been exploited in the wild.
- CVE-2021-40539: A remote code execution vulnerability exists in ADSelfService plus of Zoho
The flaw is assigned with the identifier CVE-2021-40539. The severity score is not yet calculated by NIST but is considered as Critical as it allows unauthenticated RCE on systems with vulnerable ADSelfService plus.
The vulnerability can be triggered by sending a specially crafted request to the REST API endpoint of ADSelfService plus. As a result, an attacker can perform unauthenticated RCE on the affected systems.
Way to Identify if the installation is affected
As per the advisory of Zoho Corp, look for access log entries with the following strings in \ManageEngine\ADSelfService Plus\log folder:
The system is affected if any of these entries are present in the logs
Zoho ADSelfService plus versions before 6114.
A fix for this vulnerability has been released in version 6114 or later.
The vulnerable versions of ADSelfService plus are advised to be updated to the latest available release.