ManageEngine ADSelfService Plus Authentication Bypass (CVE-2021-40539)
Description
ManageEngine ADSelfService Plus is a self-service password management and single sign-on solution for Active Directory and cloud applications.
Versions 6113 and earlier contain a critical authentication bypass vulnerability (CVE-2021-40539) in the REST API endpoints. This flaw allows remote attackers to circumvent authentication controls and gain unauthorized access to the application without providing valid credentials. The vulnerability has been actively exploited in the wild and poses a significant risk to organizations using affected versions.
Remediation
Apply the following remediation steps immediately:
1. Upgrade ManageEngine ADSelfService Plus to build 6114 or later, which addresses this vulnerability
2. If immediate patching is not possible, restrict network access to the ADSelfService Plus server by implementing firewall rules that limit access to trusted IP addresses only
3. Review system logs for any suspicious authentication attempts or REST API calls from unexpected sources
4. After patching, reset credentials for all administrative accounts and review user account modifications made during the vulnerable period
5. Verify the integrity of the installation by comparing file hashes against known good versions
Refer to the vendor security advisory for detailed upgrade instructions and additional security hardening recommendations.