Background
Security researchers at Microsoft and Palo Alto Networks are reporting a new campaign targeting ManageEngine ADSelfService Plus servers that are vulnerable to CVE-2021-40539. Microsoft has attributed this campaign to a threat group operating out of China, based on observed infrastructure, victimology, tactics, and procedures.
|
CVE ID |
CVSS Score V3 |
CVSS Criticality |
Type |
Description |
| CVE-2021-40539 |
9.8 |
Critical |
Improper Authentication & Remote code Execution |
REST API authentication bypass with resultant remote code execution. |
Analysis
CVE-2021- 40539
The CVE-2021-40539 is a REST API authentication bypass vulnerability in ManageEngine ADSelfService Plus. A remote, unauthenticated attacker could exploit this vulnerability by sending a specially crafted request to a vulnerable host. Successful exploitation would grant an attacker remote code execution. It was patched on September 6, 2021. CVE-2021-40539 has been exploited to deploy webshells and establish persistence in target environments.
On September 16, 2021, the Federal Bureau of Investigation (FBI), United States Coast Guard Cyber Command (CGCYBER), and the Cybersecurity and Infrastructure Security Agency (CISA) first alerted the public of activity targeting CVE-2021-40539.
Solutions and Recommendations
Arctic Wolf strongly recommends those who are running vulnerable versions of ManageEngine AdSelfService Plus review the recommendations below and apply the latest patch immediately to affected servers.
ManageEngine has indicated in their advisory that specific versions are affected by this vulnerability. We recommend reviewing the below to determine if you are running any outdated versions of this software in your environment and patch as soon as possible.
| Stable Version | Compromised Versions |
| Build 6114 and newer | Build 6113 and older |
References
Learn more about Arctic Wolf’s Managed Risk solution or request a demo today.
