CISA & FBI : Zoho Flaws Being Actively Exploited, Patch Now

{Updated on November 12}: Palo Alto Networks’ cybersecurity researchers warn of a continuing cyberespionage campaign that has already infiltrated at least nine enterprises, including those in the defence, healthcare, and energy sectors. Following the initial intrusion, the threat actors allegedly installed either a Godzilla webshell or a new backdoor known as NGLite, which allowed them to perform commands and move around while exfiltrating files of interest.


On November 8, 2021, Microsoft found DEV-0322, a chinese based threat group, exploiting the ZOHO ManageEngine ADSelfService Plus software versions vulnerable to CVE-2021-40539. This threat group had previously been observed in attacks targeting the SolarWinds Serv-U software with 0-day exploit.


The FBI, CISA, and the Cyber Guard (CGCYBERs) warned of a serious vulnerability (CVE-2021-40539) in a single Zoho Signup and Password Management Solution that State Advanced Persistent Threat (APT) actors are actively scanning the internet for vulnerable servers.

Zoho discovered a zero day vulnerability existing in the Zoho ManageEngine ADSelfService Plus software – a password management solution that might allow threat actors to take control of the system. Handed the label CVE-2021-40539, the bug has a severity rating of 9.8 out of 10, and is a remote code execution flaw.


On September 06, 2021, a patch was released for this critical remote code execution flaw. More specifically, this vulnerability is an authentication bypass issue that can affect the REST API URLs in ADSelfService Plus. Organizations using Zoho ManageEngine ADSelfService that haven’t yet applied a patch are at heightened risk of compromise.


Attackers Aiming for Unpatched Servers


CISA’s advisory notice makes it explicit, stating that CVE-2021-40539 has been identified as being exploited in the wild. Proper exploitation of this issue might lead to a serious threat to critical infrastructure in organizations that use the servers.


According to researchers at security firm Crowdstrike, CVE-2021-40539 has been under attack for more than a week even before the attacks against Confluence Servers began.

The Port of Houston, a vital piece of Gulf Coast infrastructure, recently disclosed that it had successfully fought against an attempted breach in August and no functional data or systems were affected. Officials suspect that nation-state actors are behind the hack that involves ManageEngine ADSelfService Plus. Therefore, patching the Zoho Servers are crucial at the moment.


Highlighting Facts of the Issue

  • This vulnerability is categorized as CWE-287 (Improper Authentication) that holds a fourteenth place in the 2021 CWE Top 25 Most Dangerous Software Weaknesses and listed in OWASP Top 10 for 2021 under A07 Category.

  • “Three out of five Fortune 500 companies” use Zoho, including Apple, Intel, Nike, PayPal, HBO, and many others.

  • Since August 2021, APTs have been exploiting this flaw as part of their attacks.

  • There are more than 11,000 Zoho ManageEngine servers accessible over the Internet.

  • All the popular scanners such as Nessus, Qualys and Nexpose were able to detect this vulnerability.

  • An attacker can use webshells to execute actions including compromising administrator credentials, lateral movement, and exfiltrating registry hives and Active Directory data after successfully exploiting the vulnerability.

  • This CVE is seen trending in Canada, India, and the United States.

CVE-2021-40539 Trending Regions


The fact that APT groups are actively exploiting CVE-2021-40539 flaw serves as a warning about the possibility for exposure. Therefore, before these extortion groups seek exploitation for ransomware and APT activities continuing the trends, we recommend all Zoho users to apply the latest patches to ADSelfService Plus build 6114 or later.


Fifth Zero Day


CVE-2021-40539 is the fifth security flaw discovered in ManageEngine ADSelfService Plus since the beginning of the year. In March 2021, a fourth vulnerability, CVE-2021-28958 (CVSS score: 9.8), was patched while three weaknesses have been fixed in recent updates: CVE-2021-37421 (CVSS score: 9.8), CVE-2021-37417 (CVSS score: 9.8), and CVE-2021-33055 (CVSS score: 9.8).


2021 Zoho Vulnerabilities Impacted Versions
CVE-2021-40539 6113
CVE-2021-37421 6103 and earlier
CVE-2021-37417 6103 and earlier
CVE-2021-33055 6102
CVE-2021-28958 6101

Indicator of Compromise


The following identification of IoCs were outlined by CISA.





File Paths

C:\ManageEngine\ADSelfService Plus\webapps\adssp\help\admin-guide\reports\ReportGenerate.jsp

C:\ManageEngine\ADSelfService Plus\webapps\adssp\html\promotion\adap.jsp

C:\ManageEngine\ADSelfService Plus\work\Catalina\localhost\ROOT\org\apache\jsp\help

C:\ManageEngine\ADSelfService Plus\jre\bin\SelfSe~1.key (filename varies with an epoch timestamp of creation, extension may vary as well)

C:\ManageEngine\ADSelfService Plus\webapps\adssp\Certificates\SelfService.csr

C:\ManageEngine\ADSelfService Plus\bin\service.cer



C:\ManageEngine\ADSelfService Plus\work\Catalina\localhost\ROOT\org\apache\jsp\help (including subdirectories and contained files)

WebShell URL Paths



Fix with a Patch

Zoho Manage Engine has created an exclusive tool to evaluate if an ADSelfService Plus installation is vulnerable to the authentication bypass flaw. Users may also manually verify if your installation has been compromised by following the steps listed in Zoho advisory. Additionally, the FBI, CISA, and CGCYBER highly advise the Zoho users to apply domain-wide password resets and double Kerberos Ticket Granting Ticket (TGT) password resets.


All ADSelfService Plus builds up to 6113 were found vulnerable to the issue and customers are advised to immediately update ADSelfService Plus to build 6114 or later.


Unsure if there are any gaps in your security that can lead to a cyber attack?

We can help shrink your attack surface. Talk to us!

Share This Post On