Executive Summary

CVE-2021-40539 is a critical vulnerability in Zoho ManageEngine ADSelfService Plus, specifically affecting versions 6113 and prior. This vulnerability allows for REST API authentication bypass, which can result in remote code execution (RCE). The vulnerability has a CVSS v3.1 base score of 9.8, indicating its critical severity. This report delves into the technical details, exploitation in the wild, affected product versions, and mitigation strategies to help organizations safeguard against this significant threat.

Technical Information

CVE-2021-40539 is a severe vulnerability identified in Zoho ManageEngine ADSelfService Plus. The vulnerability is due to an authentication bypass in the REST API, which can be exploited to achieve remote code execution. The CVSS v3.1 score of 9.8 underscores the critical nature of this flaw, with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating that it is network exploitable, requires low attack complexity, and does not require privileges or user interaction.

The vulnerability is categorized under CWE-706, which pertains to the use of incorrectly-resolved names or references. This flaw allows attackers to bypass authentication mechanisms and execute arbitrary code on the affected systems. The exploitation process typically involves sending specially crafted requests to the vulnerable REST API endpoints, thereby bypassing authentication and gaining unauthorized access.

The vulnerability affects Zoho ManageEngine ADSelfService Plus versions 6113 and prior. The exploitation of this vulnerability can lead to severe consequences, including unauthorized access, data breaches, and potential system compromise. Given the critical nature of this vulnerability, it is imperative for organizations to understand the technical intricacies and implement appropriate mitigation measures.

Exploitation in the Wild

CVE-2021-40539 has been actively exploited in the wild by various threat actors, including Advanced Persistent Threat (APT) groups. These actors have leveraged the vulnerability to gain unauthorized access to systems and execute arbitrary code. The exploitation typically involves bypassing authentication mechanisms via the REST API and executing malicious code.

APT Exploitation: According to Arctic Wolf, APT actors have been exploiting CVE-2021-40539 to target organizations globally. The exploitation involves bypassing authentication mechanisms and executing malicious code via the REST API. More details can be found at Arctic Wolf Blog (https://arcticwolf.com/resources/blog/new-campaign-exploiting-manageengine-adselfservice-plus-vulnerability-cve-2021-40539/).

Public Exploits: Exploitation code for CVE-2021-40539 has been published on GitHub, making it accessible to a broader range of attackers. The exploit code can be found at GitHub - synacktiv/CVE-2021-40539 (https://github.com/synacktiv/CVE-2021-40539).

Metasploit Module: Rapid7 has developed a Metasploit module that exploits this vulnerability to upload a JAR file and execute it. The module is available at Rapid7 Exploit Module (https://www.rapid7.com/db/modules/exploit/windows/http/manageengine_adselfservice_plus_cve_2021_40539/).

Additional exploitation details have been reported by CloudSEK, which indicates that the vulnerability is actively being exploited in the wild. Attackers are leveraging it to gain unauthorized access and execute arbitrary code. The report can be accessed at CloudSEK Report (https://cloudsek.com/threatintelligence/zoho-manageengine-cve-2021-40539-vulnerability-actively-exploited-in-the-wild).

Packet Storm Security has also published a detailed exploit, providing insights into how the vulnerability can be exploited. The exploit details are available at Packet Storm Security (http://packetstormsecurity.com/files/165085/ManageEngine-ADSelfService-Plus-Authentication-Bypass-Code-Execution.html).

APT Groups using this vulnerability

APT groups have been actively exploiting CVE-2021-40539 to target organizations across various sectors and countries. These groups leverage the vulnerability to gain unauthorized access and execute arbitrary code, leading to potential data breaches and system compromises. The specific APT groups exploiting this vulnerability include those targeting critical infrastructure, financial institutions, and government agencies globally.

Affected Product Versions

The vulnerability affects Zoho ManageEngine ADSelfService Plus versions 6113 and prior. Organizations using these versions are at risk and should prioritize patching to mitigate potential exploitation.

Workaround and Mitigation

To mitigate the risks associated with CVE-2021-40539, organizations should implement the following strategies:

Vendor Patches: Zoho has released patches to address this vulnerability. Users are strongly advised to update to the latest version of ADSelfService Plus. Patch information can be found at ManageEngine Advisory (https://www.manageengine.com/products/self-service-password/advisory/CVE-2021-40539.html).

Detection and Response: Organizations should monitor network traffic for unusual API requests and implement strict access controls. Indicators of Compromise (IOCs) include unusual REST API calls to ADSelfService Plus endpoints, unexpected JAR files in the application directory, and unauthorized access logs.

References

NVD Entry: NVD - CVE-2021-40539 (https://nvd.nist.gov/vuln/detail/CVE-2021-40539) ManageEngine Advisory: ManageEngine ADSelfService Plus Advisory (https://www.manageengine.com/products/self-service-password/advisory/CVE-2021-40539.html) Arctic Wolf Blog: Arctic Wolf on CVE-2021-40539 (https://arcticwolf.com/resources/blog/new-campaign-exploiting-manageengine-adselfservice-plus-vulnerability-cve-2021-40539/) GitHub Exploit: GitHub - synacktiv/CVE-2021-40539 (https://github.com/synacktiv/CVE-2021-40539) Rapid7 Exploit Module: Rapid7 - CVE-2021-40539 (https://www.rapid7.com/db/modules/exploit/windows/http/manageengine_adselfservice_plus_cve_2021_40539/) CloudSEK Report: CloudSEK Report (https://cloudsek.com/threatintelligence/zoho-manageengine-cve-2021-40539-vulnerability-actively-exploited-in-the-wild) Packet Storm Security: Packet Storm Security (http://packetstormsecurity.com/files/165085/ManageEngine-ADSelfService-Plus-Authentication-Bypass-Code-Execution.html)

Rescana is here for you

At Rescana, we understand the critical importance of safeguarding your organization against emerging threats. Our Continuous Threat and Exposure Management (CTEM) platform is designed to help you identify, assess, and mitigate vulnerabilities like CVE-2021-40539. We are committed to providing you with the tools and insights needed to protect your assets and maintain a robust security posture. If you have any questions about this report or any other issue, please do not hesitate to contact us at ops@rescana.com.