CVE-2021-37417
📋 TL;DR
This vulnerability allows attackers to bypass CAPTCHA protection in Zoho ManageEngine ADSelfService Plus, potentially enabling brute-force attacks or unauthorized access attempts. Organizations using ADSelfService Plus version 6103 and prior are affected.
💻 Affected Systems
- Zoho ManageEngine ADSelfService Plus
📦 What is this software?
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
⚠️ Risk & Real-World Impact
Worst Case
Attackers could bypass authentication mechanisms entirely, gaining unauthorized access to sensitive Active Directory data or performing account takeovers.
Likely Case
Attackers bypass CAPTCHA to conduct credential stuffing or brute-force attacks against user accounts.
If Mitigated
With proper network segmentation and monitoring, impact is limited to failed authentication attempts that trigger alerts.
🎯 Exploit Status
Exploitation requires sending specially crafted requests to bypass CAPTCHA validation. Technical details are publicly available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6104 and later
Vendor Advisory: https://www.manageengine.com/products/self-service-password/release-notes.html
Restart Required: Yes
Instructions:
1. Download ADSelfService Plus version 6104 or later from ManageEngine website. 2. Backup current installation. 3. Run the installer to upgrade. 4. Restart the ADSelfService Plus service.
🔧 Temporary Workarounds
Disable CAPTCHA temporarily
allDisable CAPTCHA feature to prevent bypass attacks while planning upgrade
Navigate to Admin -> Self-Service -> Security Settings -> CAPTCHA Settings and disable
Network access restrictions
allRestrict access to ADSelfService Plus portal to trusted IP ranges only
Configure firewall rules to limit access to specific IP addresses/networks
🧯 If You Can't Patch
- Implement rate limiting and account lockout policies to mitigate brute-force attempts
- Enable detailed logging and monitoring for authentication attempts and review regularly
🔍 How to Verify
Check if Vulnerable:
Check ADSelfService Plus version in Admin -> About. If version is 6103 or lower, system is vulnerable.Check Version:
Check web interface at /about.html or examine installation directory version filesVerify Fix Applied:
Verify version is 6104 or higher in Admin -> About and test CAPTCHA functionality.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts from same source
- CAPTCHA validation failures
- Unusual authentication patterns
Network Indicators:
- HTTP requests to CAPTCHA endpoints with manipulated parameters
- High volume of authentication requests
SIEM Query:
source="ADSelfService" AND (event_type="authentication_failure" AND count > 10 within 5min) OR (uri_path="/Captcha" AND status=200)