Advanced persistent threat attackers are exploiting a newly identified vulnerability in Zoho ManageEngine ADSelfService Plus, according to a joint advisory from the FBI, the United States Coast Guard Cyber Command (CGCYBER), and the Cybersecurity and Infrastructure Security Agency (CISA).
CVE-2021-40539 is a critical authentication bypass vulnerability in the software, which is a self-service password management and single sign-on tool. The FBI, CISA, and CGCYBER have reports of attackers using exploits against the vulnerability to gain access to the tool as early as August 2021.
If successfully exploited, the vulnerability could allow attackers to place Web shells that could enable attackers to conduct post-exploitation activities such as admin credential compromise, lateral movement, and exfiltration of registry hives and Active Directory files, officials report.
"The exploitation of ManageEngine ADSelfService Plus poses a serious risk to critical infrastructure companies, U.S.-cleared defense contractors, academic institutions, and other entities that use the software," officials write in an alert. They say the FBI, CISA, and CGCYBER are "proactively investigating and responding to" the attack activity.
Zoho patched the vulnerability on Sept. 6, 2021. Officials urge organizations to update to ADSelfService Plus build 6114 and ensure ADSelfService Plus is not directly accessible from the Internet.
Read CISA's full alert for more information on tactics, techniques, and procedures as well as technical details.