Skip to main content

New Campaign Exploiting ManageEngine ADSelfService Plus Vulnerability - CVE-2021-40539

Background

Security researchers at Microsoft and Palo Alto Networks are reporting a new campaign targeting ManageEngine ADSelfService Plus servers that are vulnerable to CVE-2021-40539. Microsoft has attributed this campaign to a threat group operating out of China, based on observed infrastructure, victimology, tactics, and procedures.

CVE ID

CVSS Score V3

CVSS Criticality

Type

Description

CVE-2021-40539

9.8

Critical

Improper Authentication & Remote code Execution

REST API authentication bypass with resultant remote code execution.

Analysis

CVE-2021- 40539

The CVE-2021-40539 is a REST API authentication bypass vulnerability in ManageEngine ADSelfService Plus. A remote, unauthenticated attacker could exploit this vulnerability by sending a specially crafted request to a vulnerable host. Successful exploitation would grant an attacker remote code execution. It was patched on September 6, 2021. CVE-2021-40539 has been exploited to deploy webshells and establish persistence in target environments.

On September 16, 2021, the Federal Bureau of Investigation (FBI), United States Coast Guard Cyber Command (CGCYBER), and the Cybersecurity and Infrastructure Security Agency (CISA) first alerted the public of activity targeting CVE-2021-40539.

Solutions and Recommendations

Arctic Wolf strongly recommends those who are running vulnerable versions of ManageEngine AdSelfService Plus review the recommendations below and apply the latest patch immediately to affected servers.

ManageEngine has indicated in their advisory here that specific versions are affected by this vulnerability. We recommend reviewing the below to determine if you are running any outdated versions of this software in your environment and patch as soon as possible.

Stable Version

Compromised Versions

Build 6114 and newer

Build 6113 and older

References

Learn more about Arctic Wolf’s Managed Risk solution or request a demo today.

About the Author

Sule Tatar is a Product Marketing Manager at Arctic Wolf, where she does research on security trends and brings groundbreaking cybersecurity products and services to market. She has extensive experience in the B2B cybersecurity space and holds a bachelor's degree in computer engineering and an MBA.

Profile Photo of Sule Tatar