CVE-2022-36413: 
Zoho ManageEngine ADSelfService Plus vulnerability analysis and mitigation

Zoho ManageEngine ADSelfService Plus through version 6203 contains a critical vulnerability (CVE-2022-36413) that was disclosed on March 23, 2023. The vulnerability affects the Password Sync Agent component and allows attackers to perform brute-force attacks that could lead to password resets on integrated Identity Management (IDM) applications (Vendor Advisory, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 9.1 (Critical), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N. The issue specifically relates to an OTP brute-force vulnerability in the Password Sync Agent component. The attack vector is network-accessible, requires low attack complexity, needs no privileges or user interaction, and can result in high impacts to both confidentiality and integrity (NVD).

If exploited, attackers could use specialized machines to brute-force OTP values, potentially leading to unauthorized password resets and gaining control over integrated third-party applications. This vulnerability poses a significant risk to the security of integrated IDM applications and their associated user accounts (Vendor Advisory).

ManageEngine has released build 6218 to address this vulnerability. The fix includes increasing the OTP length to 16 characters and significantly decreasing the API throttling threshold. Organizations should update their ADSelfService Plus instance to build 6218 using the service pack and update the Password Sync Agent on all Domain Controllers where it is installed (Vendor Advisory).