CVE-2021-37421: 
Zoho ManageEngine ADSelfService Plus vulnerability analysis and mitigation

Zoho ManageEngine ADSelfService Plus version 6103 and prior contains a critical vulnerability (CVE-2021-37421) that allows attackers to bypass admin portal access restrictions. The vulnerability was discovered in 2021 and received a CVSS v3.1 score of 9.8 (Critical) (NVD Results).

The vulnerability allows attackers to bypass the IP-based access restrictions for the Admin portal by manipulating the X-Forwarded-For header. When administrators enable 'Allow/Restrict Admin portal access based on IP Addresses' in the Logon Settings, an attacker can circumvent this security control by setting the X-Forwarded-For header to a whitelisted IP address, such as 127.0.0.1 (STM Cyber Blog).

The successful exploitation of this vulnerability allows unauthorized access to the admin portal, potentially giving attackers administrative control over the ADSelfService Plus installation. This could lead to unauthorized access to sensitive information and system configurations (Hacker News).

The vulnerability was fixed in ADSelfService Plus version 6104. Organizations are strongly advised to upgrade to this version or later to address the security issue. Until the upgrade can be performed, organizations should implement additional network-level controls to restrict access to the admin portal (STM Cyber Blog).