CVE-2021-40539

What is Zoho ManageEngine ADSelfService Plus?

Zoho ManageEngine ADSelfService Plus is an enterprise self-service password management and single sign-on platform for Active Directory environments. It allows employees to reset their own passwords, unlock accounts, and enroll in multi-factor authentication without IT helpdesk involvement. ADSelfService Plus is tightly integrated with Active Directory and often deployed facing corporate networks or the internet to support remote workers. Because it integrates directly with AD and processes authentication for the organization's users, it is an extremely high-value target for attackers seeking domain access.

Overview

CVE-2021-40539 is a critical authentication bypass vulnerability (CWE-706) in Zoho ManageEngine ADSelfService Plus. Certain REST API URLs bypass authentication due to incorrect URL pattern matching in the servlet filter configuration. An unauthenticated attacker can reach these endpoints and exploit them for remote code execution. CISA issued an advisory in September 2021 warning that multiple APT groups — including Chinese-nexus actors and APT33 — were actively exploiting this vulnerability to compromise organizations including defense contractors, healthcare, and educational institutions.

Affected Versions

Technical Details

ADSelfService Plus uses a Java servlet filter to enforce authentication on web requests. The filter pattern matching uses URL patterns to determine which requests require authentication. The filter configuration has a flaw in how it matches certain REST API URL patterns:

• Root cause: Authentication filter bypass (CWE-706 — use of incorrectly-resolved name or reference) — certain REST API URL patterns are not matched by the authentication filter, allowing unauthenticated access
• Bypass pattern: Specific REST API endpoints for SAML SSO and password-related operations are reachable without authentication
• RCE path: The accessible REST API endpoints support file upload or script execution that, when exploited, achieves code execution on the ADSelfService Plus server
• Execution context: Code runs as the ADSelfService Plus service account — which has AD integration privileges including the ability to reset passwords and manage user accounts

Discovery

Identified by security researchers and exploited by APT actors before the patch was widely applied. ManageEngine released the patch in August 2021; CISA issued a warning of active APT exploitation in September 2021.

Exploitation Context

Multiple APT groups including Chinese-nexus actors and groups with ties to Iranian intelligence (APT33/Elfin) exploited CVE-2021-40539 against US defense contractors, educational institutions, and healthcare organizations. The attackers used the initial foothold to deploy webshells, enumerate AD infrastructure, steal credentials, and in some cases deploy ransomware. The ADSelfService Plus position in AD management made it a particularly valuable compromise target — access to AD allows adversaries to persist, escalate, and move laterally across the entire organization.

Remediation

1. Upgrade ADSelfService Plus to Build 6114 or later immediately
2. If the ADSelfService Plus server was internet-accessible before patching, treat it as potentially compromised — check for webshells in the application directories
3. Restrict ADSelfService Plus access to internal/VPN-connected users only
4. Review Active Directory for unauthorized account modifications, new privileged accounts, or password resets during the exploitation window
5. Audit ADSelfService Plus access logs for REST API calls to authentication-bypassed endpoints
6. Rotate all service account credentials used by ADSelfService Plus for AD integration