3rd Party Risk Management , Application Security , Breach Notification

US Warns Nation-State Groups May Exploit Flaw in Zoho Tool

FBI, CISA, Coast Guard Release Joint Warning and Urge Customers to Patch
US Warns Nation-State Groups May Exploit Flaw in Zoho Tool

The U.S. Cybersecurity and Infrastructure Security Agency, the FBI and the U.S. Coast Guard Cyber Command warn users of Zoho Corp.'s single sign-on and password management tool to patch for a critical vulnerability that nation-state groups may look to exploit, according to a joint alert issued this week.

See Also: How to Build Your Cyber Recovery Playbook

The vulnerability, which is now being tracked as CVE-2021-40539, is a bug found in Zoho's ManageEngine ADSelfService Plus - a self-service password management and single sign-on tool. The flaw has a CVSS score of 9.8 out of 10, making the vulnerability "critical."

On Sept. 6, Zoho released ADSelfService Plus build 6114, which contains a fix for CVE-2021-40539, and the joint alert from CISA, the FBI and the Coast Guard urges user of the company's tool to apply the patch as soon as possible.

The joint alert notes that CVE-2021-40539 is now being exploited in the wild by attackers and that nation-state groups might try to use the bug to compromise networks, including those that support the nation's critical infrastructure.

"The FBI, CISA, and [Coast Guard Cyber Command] assess that advanced persistent threat cyber actors are likely among those exploiting the vulnerability," according to the alert issued Thursday. "The exploitation of ManageEngine ADSelfService Plus poses a serious risk to critical infrastructure companies, U.S.-cleared defense contractors, academic institutions and other entities that use the software."

The alert also notes that other industries - including transportation, IT, manufacturing, communications, logistics and finance - that use the ManageEngine ADSelfService Plus product could also be targeted by these groups. In its own security alert, Zoho says: "We are noticing indications of this vulnerability being exploited."

On its website, Zoho notes that the company has about 60 million users worldwide and its products are used by Apple, Intel, PayPal and several other well-known companies.


In the alert, CVE-2021-40539 is described as an authentication bypass vulnerability that can affect representational state transfer - REST - API URLs, which could then allow an attacker to conduct remote code execution.

If successfully exploited, an attacker can use the vulnerability to then plant malicious web shells within a network. From there, the attacker can then compromise credentials, move laterally through a network and exfiltrate data, including from registry hives and Active Directory files, the alert notes.

The three U.S. government agencies first noticed attackers exploiting this vulnerability in August before Zoho released the updated software build that fixed the flaw in September. Some of the techniques they found the attackers using include:

  • Writing web shells to the disk to gain initial persistence within a network;
  • Deobfuscating or decoding files or information within a compromised network;
  • Deploying "living off the land" techniques such as using signed Windows binaries;
  • Adding or deleting user accounts as well as stealing copies of Active Directory;
  • Using Windows Management Instrumentation for remote execution.

The joint alert notes that using these techniques might make it difficult for organizations to determine if attackers have compromised the network.

"Confirming a successful compromise of ManageEngine ADSelfService Plus may be difficult - the attackers run clean-up scripts designed to remove traces of the initial point of compromise and hide any relationship between exploitation of the vulnerability and the webshell," according to the alert.

If users of ManageEngine ADSelfService Plus cannot apply the patch, the three agencies suggest that organizations ensure that the tool is not directly accessible to the public internet. The agencies also recommend resetting domainwide passwords if an attack is suspected.

Possible Attacks

The joint alert issued this week did not reveal specifics about which groups are taking advantage of the vulnerability in ManageEngine ADSelfService Plus, but security researchers note that this is one of several critical flaws that have been found in this particular Zoho product over the past year and say the fact that the tool interacts with Active Directory makes these types of bugs particularly worrisome.

"Since the service interacts with Active Directory, giving attackers access can only lead to bad things, such as controlling domain controllers or other services," says Sean Nikkel, a senior cyberthreat intel analyst at security firm Digital Shadows. "Attackers can then take advantage of 'blending in with the noise' of everyday system activity. It's reasonable to assume that there will be more widespread exploitation of this and previous vulnerabilities given the interactivity with Microsoft system processes."

Nikkel adds that in addition to APTs, ransomware gangs are also likely to try and exploit the vulnerability since it would allow them access to Active Directory and user credentials (see: 10 Initial Access Broker Trends: Cybercrime Service Evolves).

"The observation that APT groups are actively exploiting CVE-2021-40539 should highlight the potential exposure it might cause. If trends are consistent, extortion groups will likely seek exploitation for ransomware activity in the not-so-distant future," Nikkel says.

Bert Kashyap, the CEO and co-founder at security firm SecureW2, notes that vulnerabilities such as CVE-2021-40539 show why the federal government's recent decision to move to "zero trust" architectures is necessary to protect vulnerable assets such as Active Directory (see: White House Pushing Federal Agencies Toward 'Zero Trust').

"As long as organizations continue to rely on web-facing applications that tie directly into legacy identity infrastructure like Active Directory, they will continue to be vulnerable to zero-day attacks," Kashyap says.

About the Author

Scott Ferguson

Scott Ferguson

Former Managing Editor, GovInfoSecurity, ISMG

Ferguson was the managing editor for the GovInfoSecurity.com media website at Information Security Media Group. Before joining ISMG, he was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and DevOps.com.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.