CVE-2023-41904: 
Zoho ManageEngine ADManager Plus vulnerability analysis and mitigation

A medium severity vulnerability (CVE-2023-41904) was discovered in Zoho ManageEngine ADManager Plus versions 7202 and older, where the REST APIs were accessible without proper Two-Factor Authentication (2FA) verification. The vulnerability was discovered and reported by the Vector0 Research Team, and was fixed in version 7203 released on July 30, 2023 (Vendor Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N. The issue specifically relates to the authentication mechanism for REST API AuthToken generation, where the system failed to properly enforce 2FA verification during the token generation process (NVD).

The vulnerability allows AuthTokens used for REST API requests to be generated without the required Two-Factor Authentication verification. This could potentially compromise the security of API access by bypassing an important security control (Vendor Advisory).

Organizations using affected versions of ADManager Plus should update their installations to version 7203 or later by installing the service pack. This update addresses the 2FA bypass vulnerability in the REST API authentication process (Vendor Advisory).