Zoho's ManageEngine ADSelfService Plus, a self-service sign-on and password manager for Active Directory and cloud applications, has recently received a patch that fixes a critical bug allowing threat actors to sidestep authentication and control victims' AD and cloud accounts, according to Threatpost.
Specifically, the bug affects the REST API URLs in the program, which the attackers can use to create and deliver a specially crafted request that enables them to launch further attacks, culminating in a remote code execution attack. Assessments by both Zoho and the Cybersecurity and Infrastructure Security Agency show that the bug has already been exploited in the wild. The issue only impacts users with builds 6113 and below, while those with 6114 version are safe.
CISA urges potential victims to secure their systems by applying the patch right away, and it also suggests for all ADSelfService Plus users to make sure that their program is not directly connected to the internet.