Cyber threat warning

Federal Agencies Identify Vulnerability in ManageEngine ADSelfService Plus

The Federal Bureau of Investigation, the U.S. Coast Guard Cyber Command, and the Cybersecurity and Infrastructure Security Agency on Thursday issued a joint advisory warning the public that sophisticated cyber criminals may exploit a vulnerability in ManageEngine ADSelfService Plus to the detriment of its users. Advanced persistent threat actors, through their exploitation of the cloud applications password manager, pose a serious risk to critical infrastructure companies, U.S.-cleared defense contractors, academic institutions and other entities that use the software, the advisory stated.

After conducting analytic efforts, the three organizations came to the conclusion that APT cyber actors are likely to target the system’s weakness. The weakness was described as an authentication bypass vulnerability “affecting representational state transfer application programming interface URLs that could enable remote code execution.” Under the government’s Common Vulnerability Scoring System, which rates the severity of cyber risks, the threat on the password management solution received a “critical” rating, CISA said Thursday.

CISA said the successful exploitation of the vulnerability allows an attacker to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement and exfiltrating registry hives and Active Directory files.

The FBI, CISA and CGCYBER began receiving reports of malicious cyber actors using exploits against the vulnerability to gain access to ManageEngine ADSelfService Plus as early as August.

To counter the threat, the three agencies advised users to update their systems using the Zoho ManageEngine ADSelfService Plus build 6114, which Zoho released on Sept. 6 specifically to remedy its product’s weakness. Additionally, FBI, CISA and CGCYBER strongly urged organizations to ensure that their ADSelfService Plus is not directly accessible from the internet.