APT actors exploit flaw in ManageEngine single sign-on solution

Credit: Dreamstime

Cyber-espionage groups are exploiting a critical vulnerability patched earlier this month in ManageEngine ADSelfService Plus, a self-service password management and single sign-on (SSO) solution for Active Directory environments.

The FBI, CISA and the United States Coast Guard Cyber Command (CGCYBER) urge organisations who use the product to deploy the available patch as soon as possible and check their systems for signs of compromise.

“The FBI, CISA, and CGCYBER assess that advanced persistent threat (APT) cyber actors are likely among those exploiting the vulnerability,” the three agencies said in a joint advisory. “The exploitation of ManageEngine ADSelfService Plus poses a serious risk to critical infrastructure companies, US-cleared defense contractors, academic institutions, and other entities that use the software.”

Authentication bypass and RCE

The exploited vulnerability is tracked as CVE-2021-40539 and allows attackers to bypass authentication requirements by sending specially crafted requests to the product’s REST API URLs. This authentication bypass provides attackers with access to functionality that can enable remote code execution.

ManageEngine, a division of software-as-a-service (SaaS) provider Zoho, patched the flaw on September 6 in ADSelfService Plus build 6114. Zoho’s and CISA’s advisories do not specify whether the flaw was discovered in the wild or whether attackers started exploiting it after the patch was released.

Attacks observed so far leverage the vulnerability to upload web shells — web-based backdoor scripts — on the web servers hosting vulnerable ADSelfService deployments. These web shells then allow attackers to conduct post-exploitation activities including stealing administrative credentials and moving laterally through the network to other systems.

Similar Posts