CVE-2021-37417: 
Zoho ManageEngine ADSelfService Plus vulnerability analysis and mitigation

Zoho ManageEngine ADSelfService Plus version 6103 and prior contains a CAPTCHA bypass vulnerability (CVE-2021-37417) that was discovered in March 2021. The vulnerability allows users to bypass the CAPTCHA verification on the login page due to improper parameter validation, which could potentially enable brute-force attacks against the application (STM Cyber Blog, NVD).

The vulnerability exists due to improper validation of the EXCLUDECAPTCHA parameter in the login form. An attacker can bypass the CAPTCHA verification by adding the EXCLUDECAPTCHA=true parameter to the POST request body sent to the /jsecuritycheck endpoint, even when CAPTCHA verification is enabled in the application settings. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) (NVD).

The exploitation of this vulnerability could allow attackers to perform automated brute-force attacks against user accounts by bypassing the CAPTCHA protection mechanism that is designed to prevent such automated attempts (STM Cyber Blog).

The vulnerability was fixed in ManageEngine ADSelfService Plus build 6104. Organizations using affected versions should upgrade to build 6104 or later to address this security issue (STM Cyber Blog).