Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2021-40539
CVE-2021-40539:
Zoho ManageEngine ADSelfService Plus vulnerability analysis and mitigation
Overview
CVE-2021-40539 is a critical authentication bypass vulnerability affecting Zoho ManageEngine ADSelfService Plus version 6113 and prior. The vulnerability, discovered in September 2021, allows attackers to bypass REST API authentication, potentially leading to remote code execution. The affected software is a self-service password management and single sign-on solution used across various sectors including academic institutions, defense contractors, and critical infrastructure companies (CISA Advisory, NVD).
Technical details
The vulnerability stems from an error in normalizing URLs before validation in the REST API security filter. Attackers can exploit this by crafting special REST API URLs that bypass the security filter, gaining unauthorized access to REST API endpoints. The vulnerability has received a CVSS v3.1 base score of 9.8 (Critical), indicating its severe nature. The exploitation can lead to arbitrary command execution and allows attackers to place webshells for post-exploitation activities (ManageEngine Advisory).
Impact
The successful exploitation of this vulnerability enables attackers to compromise administrator credentials, conduct lateral movement within networks, and exfiltrate registry hives and Active Directory files. The vulnerability affects organizations across 16 critical infrastructure sectors, including academic institutions, defense contractors, and companies in transportation, information technology, manufacturing, communications, and finance sectors (CISA Advisory).
Mitigation and workarounds
Zoho released a patch for this vulnerability in build 6114 on September 7, 2021. Organizations are strongly advised to update to this version or newer. If compromise is suspected, organizations should disconnect affected systems from the network, back up the ADSelfService Plus database, format compromised machines, and perform a fresh installation. Additionally, organizations should ensure ADSelfService Plus is not directly accessible from the internet and implement domain-wide password resets if any indication of NTDS.dit file compromise is found (ManageEngine Advisory).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management