FBI warns hackers could be exploiting critical Zoho bug

Hacker Typing
(Image credit: Shutterstock)

In a new joint security advisory, the FBI, CISA and the Coast Guard Cyber Command (CGCYBER) are warning enterprise organizations that state-sponsored advanced persistent threat (APT) groups are actively exploiting a critical flaw in software from Zoho.

The vulnerability itself, tracked as CVE-2021-40539, was discovered in Zoho's ManageEngine ADSelfService Plus software that provides both single sign-on and  password management capabilities. If this flaw is exploited successfully, it can allow an attacker to take over vulnerable systems on a company's network.

This new joint security advisory comes on the heels of a similar warning recently issued by CISA alerting organizations that the security flaw, which can be exploited to achieve remote code execution, in Zoho's software is being actively exploited in the wild.

CISA provided further details on how threat actors are exploiting this vulnerability in its joint security advisory with the FBI and CGCYBER, saying:

“The exploitation of ManageEngine ADSelfService Plus poses a serious risk to critical infrastructure companies, U.S.-cleared defense contractors, academic institutions, and other entities that use the software. Successful exploitation of the vulnerability allows an attacker to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.”

Lateral movement

When the authentication bypass vulnerability in ManageEngine ADSelfService has been exploited in the wild, attackers have leveraged it to deploy JavaServer Pages (JSP) web shells disguised as an X509 certificate

By deploying this web shell, attackers are able to move laterally across an organization's network using Windows Management Instrumentation (WMI) to gain access to domain controllers and dump NTDS.dit and SECURITY/SYSTEM registry hives according to a new report from BleepingComputer.

It's worth noting that the APT groups actively exploiting this vulnerability in the wild have launched attacks targeting organizations across a variety of industries including academia, defense, transportation, IT, manufacturing, communications, logistics and finance.

Organizations that use Zoho ManageEngine ADSelfService should update their software to the latest version which was released earlier this month and contains a patch for CVE-2021-40539. The FBI, CISA and CGCYBER also recommend that organizations ensure that ADSelfService Plus is not directly accessible from the internet to prevent falling victim to any potential attacks leveraging this vulnerability.

Via BleepingComputer

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Read more
A person at a laptop with a cybersecure lock symbol floating above it.
Hackers are still using old Ivanti bugs to break into networks
Avast cybersecurity
Hackers are hijacking government software to access sensitive servers
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft authentication system spoofed via phishing attack
A VPN runs on a mobile phone placed on a laptop keyboard
SonicWall firewalls hit by worrying cyberattack
Flag of the People's Republic of China overlaid with a technological network of wires and circuits.
One of the biggest flaws exploited by Salt Typhoon hackers has had a patch available for years
The best free firewall
Microsoft fixes Power Pages security flaw, tells users to be on their guard
Latest in Security
Data leak
Top home hardware firm data leak could see millions of customers affected
Representational image depecting cybersecurity protection
Third-party security issues could be the biggest threat facing your business
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Android Logo
Devious new Android malware uses a Microsoft tool to avoid being spotted
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Ransomware
Cl0p resurgence drives ransomware attacks to new highs in 2025
Latest in News
Hisense U8 series TV on wall in living room
Hisense announces 2025 mini-LED TV lineup, with screen sizes up to 100 inches – and a surprising smart TV switch
Nintendo Music teaser art
Nintendo Music expands its library with songs from Kirby and the Forgotten Land and Tetris
An image of Pro-Ject's Flatten it closed and opened
Pro-Ject’s new vinyl flattener will fix any warped LPs you inadvertently buy on Record Store Day
The iPhone 16 Pro on a grey background
iPhone 17 Pro tipped to get 8K video recording – but I want these 3 video features instead
EA Sports F1 25 promotional image featuring drivers Oscar Piastri, Carlos Sainz and Oliver Bearman.
F1 25 has been officially announced, with this year's entry marking a return for Braking Point and a 'significant overhaul' for My Team mode
Garmin clippd integration
Garmin's golf watches just got a big software integration upgrade to help you improve your game