CVE-2021-28958: 
Zoho ManageEngine ADSelfService Plus vulnerability analysis and mitigation

CVE-2021-28958 is a critical vulnerability affecting Zoho ManageEngine ADSelfService Plus through version 6101. The vulnerability was discovered in March 2021 and allows unauthenticated remote code execution while changing passwords. The issue was reported by security researchers Krzysztof Andrusiak and Marcin Ogorzelski from STM Cyber (STM Blog).

The vulnerability stems from improper sanitization of user credentials in PowerShell scripts used for password changes. Specifically, the application fails to properly sanitize double quotes in user input before including it in PowerShell scripts, leading to PowerShell script injection and remote code execution. The vulnerability has a CVSS v3.1 base score of 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating high severity with no required privileges or user interaction for exploitation (NVD).

If exploited, this vulnerability allows attackers to execute arbitrary code on the affected system with the privileges of the ADSelfService Plus application. This could lead to complete system compromise, allowing attackers to gain unauthorized access to sensitive information, modify system configurations, and potentially use the compromised system as a stepping stone for further network intrusion (STM Blog).

Zoho has addressed this vulnerability in ADSelfService Plus build 6102, released on March 21, 2021. Organizations using affected versions should immediately upgrade to build 6102 or later to protect against this vulnerability (ManageEngine Advisory).