ManageEngine, the maker of a number of products for managing Microsoft Entra ID deployments, said attackers are actively exploiting an authentication bypass flaw in its ADSelfService Plus tool, which is used for password resets and identity management.
The vulnerability (CVE-2021-40539) affects ADSelfService up to build 6113 and the company said it has seen evidence that attackers are taking advantage of it already. Exploiting the vulnerability does not take much effort and MangeEngine, a division of Zoho, is encouraging customers to update to the latest build, 6114, to protect themselves.
“This vulnerability allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request. This would allow the attacker to carry out subsequent attacks resulting in RCE,” the advisory says.
“This is a critical issue. We are noticing indications of this vulnerability being exploited.”
ADSelfService Plus is a management application that offers a variety of identity management and password management capabilities, including self-service password reset, SSO, policy enforcement for multi-factor authentication, and other features. The app is used by quite a number of enterprises, and ManageEngine lists IBM, eBay, and Northrop Grumman among the customers on its site.
Organizations that suspect their installations of ADSelfService Plus may have been affected can look for a couple of specific entries in the app’s logs: /RestAPI/LogonCustomization or /RestAPI/Connection. The presence of either of those entries indicates a compromise. Likewise, the presence of service.cer in \ManageEngine\ADSelfService Plus\bin folder or ReportGenerate.jsp in \ManageEngine\ADSelfService Plus\help\admin-guide\Reports folder is evidence of compromise.