CVE-2021-33055: 
Zoho ManageEngine ADSelfService Plus vulnerability analysis and mitigation

Zoho ManageEngine ADSelfService Plus through version 6102 contained a critical vulnerability (CVE-2021-33055) that allowed unauthenticated remote code execution in non-English editions. The vulnerability was discovered in May 2021 and affected the password synchronization functionality that employs PowerShell scripts (MITRE CVE, Zoho Advisory).

The vulnerability stems from the way ADSelfService Plus handles PowerShell scripts for password synchronization functionality. Unicode's General Punctuation block contains symbols composed of multiple single-quotes and double-quotes that, while not considered Unicode-encoded by PowerShell, can be used to begin and end strings. This characteristic could be exploited for PowerShell injection attacks. The vulnerability has a CVSS v2 score of 9.8, indicating critical severity (STM Cyber, Zoho Advisory).

If successfully exploited, this vulnerability allows attackers to execute arbitrary remote code on affected systems. The vulnerability is particularly critical as it affects the password synchronization functionality, potentially compromising the entire authentication system (Zoho Advisory).

Zoho has addressed this vulnerability in ADSelfService Plus build 6105. Organizations using affected versions (6102 and below) are strongly advised to update to the latest version using the service pack (Zoho Advisory).