Make Sure These 15 Most Exploited Vulnerabilities From 2021 Are Patched

Return To Article
Make Sure These 15 Most Exploited Vulnerabilities From 2021 Are Patched, slide 1

CVE-2021-40539

Vendor and product: Zoho ManageEngine AD SelfService Plus

According to Zoho, this bug is an authentication bypass vulnerability in ADSelfService Plus that impacts the REST API URLs that could result in remote code execution.

Per the company’s advisory on this bug, the REST API URLs are authenticated by a specific security filter in ADSelfService Plus, which enabled attackers to use specially crated REST API URLs to bypass security the security filter due to an error in normalizing the URLs before validation. This gave malicious actors access to REST API endpoints that could be exploited to perform subsequent attacks, including arbitrary command execution.

Return To Article