APT Actors Exploit Vulnerability in ManageEngine ADSelfService Plus
Reports confirm a critical security vulnerability in ManageEngine ADSelfService Plus, a self-service password management and single sign-on (SSO) tool for Active Directory environments, is actively being exploited.
This newly discovered vulnerability, CVE-2021-40539, presents a critical authentication bypass risk that affects REST API URLs and can lead to remote code execution (RCE). Federal agencies have identified cyberattacks by state-backed advanced persistent threat (APT) actors leveraging the vulnerability to upload web shells on the web servers with ADSelfService deployments, allowing them to obtain administrative credentials for lateral movement. See the full article, published yesterday by CSO Online, to learn more.
The FBI, United State Coast Guard Cyber Command (CGCYBER), and the Cybersecurity and Infrastructure Security Agency (CISA) also released an alert late last week stating, “the exploitation of ManageEngine ADSelfService Plus poses a serious risk to critical infrastructure companies, U.S.-cleared defense contractors, academic institutions, and other entities that use the software.” The FBI, CISA, and CGCYBER are strongly urging organizations using ManageEngine ADSelfService Plus to update to ADSelfService Plus build 6114 and ensure it is not directly accessible from the internet. For more information, read the full joint advisory here.