CVE-2021-37423: 
Zoho ManageEngine ADSelfService Plus vulnerability analysis and mitigation

Zoho ManageEngine ADSelfService Plus version 6111 and prior versions were identified with a critical vulnerability (CVE-2021-37423) that enables linked applications takeover. The vulnerability was discovered and assigned on July 23, 2021, with initial analysis by NIST completed on September 17, 2021. This security flaw affects the ADSelfService Plus password management solution (NVD, CVE Mitre).

The vulnerability received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The technical nature of the vulnerability involves the Password Sync Agent functionality, where an unauthenticated attacker could remotely delete the legitimate Password Sync Agent from the database and register a fake one (ManageEngine Advisory).

The vulnerability allows attackers to gain unauthorized access to all Password Sync Agent functionalities. This breach could potentially compromise the password synchronization system, affecting the security of user credentials across multiple connected systems (ManageEngine Advisory).

The vulnerability was addressed in ADSelfService Plus build 6200, released on May 24, 2022. The fix implements an access key generation system that must be provided during Password Sync Agent installation to ensure secure password synchronization. Users must upgrade to build 6200 and reinstall the Password Sync Agent with the new access key, as backward compatibility is not provided for older versions (ManageEngine Advisory).