Zoho Patches Critical Zero-day Flaw in ADSelfService to patch a remote code execution (RCE) vulnerability existing in Zoho ADSelfService plus. The vulnerability allows the execution of unauthenticated remote arbitrary code on the affected systems. As per the alert of the US Cyber Security and Infrastructure Security Agency (CISA), the vulnerability has been exploited in the wild.
Vulnerability Details
- CVE-2021-40539: A remote code execution vulnerability exists in ADSelfService plus of Zoho
The flaw is assigned with the identifier CVE-2021-40539. The severity score is not yet calculated by NIST but is considered as Critical as it allows unauthenticated RCE on systems with vulnerable ADSelfService plus.
The vulnerability can be triggered by sending a specially crafted request to the REST API endpoint of ADSelfService plus. As a result, an attacker can perform unauthenticated RCE on the affected systems.
Way to Identify if the installation is affected
As per the advisory of Zoho Corp, look for access log entries with the following strings in \ManageEngine\ADSelfService Plus\log folder:
- /RestAPI/LogonCustomization
- /RestAPI/Connection
The system is affected if any of these entries are present in the logs
Affected Versions
Zoho ADSelfService plus versions before 6114.
Solution
Zoho Patches Critical Zero-day Flaw in ADSelfService in version 6114 or later.
The vulnerable versions of ADSelfService plus are advised to be updated to the latest available release.