Zoho Patches ManageEngine Password Management Vulnerability

Zoho has released a security update to patch a vulnerability (CVE-2021-40539) affecting ManageEngine ADSelfService Plus builds 6113 and below. Hackers have been exploiting the vulnerability in the wild, according to a CISA (Cybersecurity and Infrastructure Security Agency) alert.

If left unpatched, a remote attacker could exploit this vulnerability to take control of an affected system, the CISA says.

ManageEngine ADSelfService Plus is a self-service password management and single sign-on solution for Active Directory and cloud apps. Additionally, CISA strongly urges organizations ensure ADSelfService Plus is not directly accessible from the Internet, the alert said.

ManageEngine's software is popular with MSPs that remotely monitor and manage end-customer systems.

Hackers have been targeting MSP-centric software tools to launch supply chain attacks that extend out to end-customers.

Joe Panettieri

Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.