Sittikorn S
29 lines
984 B
YAML
29 lines
984 B
YAML
title: CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit
|
|
id: fcbb4a77-f368-4945-b046-4499a1da69d1
|
|
status: experimental
|
|
description: Detects an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus (CVE-2021-40539).
|
|
references:
|
|
- https://therecord.media/cisa-warns-of-zoho-server-zero-day-exploited-in-the-wild/
|
|
- https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html
|
|
author: Sittikorn S, Nuttakorn L
|
|
date: 2021/09/10
|
|
tags:
|
|
- attack.initial_access
|
|
- attack.t1190
|
|
logsource:
|
|
product: zoho_manageengine
|
|
category: webserver
|
|
definition: 'Must be collect log from \ManageEngine\ADSelfService Plus\logs'
|
|
detection:
|
|
selection:
|
|
c-uri|contains:
|
|
- '/RestAPI/LogonCustomization'
|
|
- '/RestAPI/Connection'
|
|
condition: selection
|
|
fields:
|
|
- c-ip
|
|
- c-uri
|
|
falsepositives:
|
|
- External Pentesting
|
|
level: critical
|