Zoho has released an emergency patch for an authentication bypass vulnerability in its ManageEngine ADSelfService Plus, as well as a warning that the flaw has already been used in attacks.
The security weakness, known as CVE-2021-40539, is considered critical since it might be used to take control of a susceptible system.
According to a Zoho advisory, the vulnerability affects ADSelfService Plus’s REST API URLs and might be exploited to provide remote code execution. The vulnerability’s technical details have yet to be released.
“This is a serious problem. We’re seeing signs that this vulnerability is being exploited,” Zoho said.
All ADSelfService Plus builds up to 6113 were discovered to be vulnerable to the vulnerability, and clients are urged to update to build 6114 or later as soon as possible.
The US government’s Cybersecurity and Infrastructure Security Agency (CISA) issued a separate advise on Tuesday urging administrators to review Zoho’s advisory and update ADSelfService Plus immediately.
“In the wild, CVE-2021-40539 has been discovered in exploits. A remote attacker might use this flaw to take control of a vulnerable machine, according to CISA.
ManageEngine ADSelfService Plus is an integrated self-service password management and single sign-on solution for Active Directory and cloud apps that can be used to define password policies, deploy authentication mechanisms, and enforce two-factor authentication (2FA), among other things.
