Wiz
Vulnerability DatabaseCVE-2024-27310

CVE-2024-27310
Zoho ManageEngine ADSelfService Plus vulnerability analysis and mitigation

Overview

CVE-2024-27310 affects Zoho ManageEngine ADSelfService Plus versions below 6401, which was discovered and disclosed in May 2024. The vulnerability is related to an LDAP injection issue during passwordless logins to ADSelfService Plus, caused by unsanitized LDAP queries to the ADSelfService Plus server (Vendor Advisory).

Technical details

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) by NIST and 5.3 (Medium) by ManageEngine. The vulnerability is classified as CWE-90 (Improper Neutralization of Special Elements used in an LDAP Query) by ManageEngine (NVD).

Impact

The vulnerability could lead to the exposure of unauthorized user information and has the potential to overload the server by querying information for multiple users, potentially resulting in Denial of Service (DoS) attacks (Vendor Advisory).

Mitigation and workarounds

The vulnerability has been fixed in ADSelfService Plus version 6401 (released on December 27, 2023) by implementing proper sanitization of LDAP queries sent to the ADSelfService Plus server. Users are advised to update their ADSelfService Plus instance to build 6401 or later using the service pack (Vendor Advisory).

Additional resources

SourceThis report was generated using AI

Related Zoho ManageEngine ADSelfService Plus vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2024-0252HIGH8.8
  • Zoho ManageEngine ADSelfService PlusZoho ManageEngine ADSelfService Plus
  • cpe:2.3:a:zohocorp:manageengine_adselfservice_plus
NoYesJan 11, 2024
CVE-2025-3833HIGH8.1
  • Zoho ManageEngine ADSelfService PlusZoho ManageEngine ADSelfService Plus
  • cpe:2.3:a:zohocorp:manageengine_adselfservice_plus
NoYesMay 14, 2025
CVE-2025-1723HIGH8.1
  • Zoho ManageEngine ADSelfService PlusZoho ManageEngine ADSelfService Plus
  • cpe:2.3:a:zohocorp:manageengine_adselfservice_plus
NoYesMar 03, 2025
CVE-2024-27310MEDIUM6.5
  • Zoho ManageEngine ADSelfService PlusZoho ManageEngine ADSelfService Plus
  • cpe:2.3:a:zohocorp:manageengine_adselfservice_plus
NoYesMay 27, 2024
CVE-2024-36037MEDIUM5.5
  • Zoho ManageEngine ADAudit PlusZoho ManageEngine ADAudit Plus
  • cpe:2.3:a:zohocorp:manageengine_adaudit_plus
NoYesMay 27, 2024

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo