title: CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit
id: fcbb4a77-f368-4945-b046-4499a1da69d1
status: experimental
description: Detects an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus (CVE-2021-40539).
references:
    - https://therecord.media/cisa-warns-of-zoho-server-zero-day-exploited-in-the-wild/
    - https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html
    - https://us-cert.cisa.gov/ncas/alerts/aa21-259a
author: Sittikorn S, Nuttakorn Tungpoonsup
date: 2021/09/10
modified: 2021/09/17
tags:
    - attack.initial_access
    - attack.t1190
    - attack.persistence
    - attack.t1505.003
logsource:
    category: webserver
    definition: 'Must be collect log from \ManageEngine\ADSelfService Plus\logs'
detection:
    selection:
        c-uri|contains:
            - '/help/admin-guide/Reports/ReportGenerate.jsp'
            - '/RestAPI/LogonCustomization'
            - '/RestAPI/Connection'
    condition: selection
fields:
    - c-ip
    - c-uri
falsepositives:
    - Unknown
level: critical