0Day in Zoho servers is actively exploited in hacker attacks

0Day in Zoho servers is actively exploited in hacker attacks

The US Cybersecurity and Infrastructure Protection Agency (CISA) has issued a warning regarding a zero-day vulnerability in Zoho ManageEngine servers, which has been actively used in hacker attacks for more than a week.


Issue ( CVE-2021-40539 ) affects password management and SSO (single sign-on) solution Zoho ManageEngine ADSelfService Plus from India's Zoho Corporation. The vulnerability could be exploited to bypass authentication through the ADSelfService Plus REST API URL and execute malicious code on a vulnerable server. The issue is fixed in ADSelfService Plus build 6114.


According to the words of the analyst's information security company CrowdStrike Dal Matt (Matt Dahl), some evidence indicates that the attack could be the work of a group of hands. There is no information yet on the presence of a PoC code or technical details of the vulnerability.


According to the Zoho warning, the presence of the following logs in the \ ManageEngine \ ADSelfService Plus \ logs folder indicates that the server has been compromised:


/RestAPI/LogonCustomization


/RestAPI/Connection


Currently, more than 11 thousand Zoho ManageEngine servers are available on the Web.

Previous Post Next Post