Security update released for critical auth bypass vulnerability, that affected ADSelfService Plus

Description

Researchers have released a security update for critical authentication bypass vulnerability (CVE-2021-40539), this vulnerability allows attackers to gain access to ADSelfService Plus though REST API URLs. Successful Exploitation of this vulnerability could result in Remote Code Execution (RCE) by remote attackers.

Affected Products: ManageEngine ADSelfService Plus 6113 and earlier.

Note: Researchers have observed exploitation of this vulnerability in wild.

Recommendation

Workaround:

It is recommended to keep ADSelfService Plus running at the current released patch level.

This vulnerability can be exploited in unpatched ADSelfService installations, therefore we would strongly recommend that even if your installation of ADSelfService Plus has not yet been affected, you ensure it is updated to the latest build which is 6114.

Reference:

• https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40539

• https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html