CVE-2021-37424
📋 TL;DR
This vulnerability in ManageEngine ADSelfService Plus allows attackers to take over domain user accounts without authentication. It affects organizations using ADSelfService Plus for self-service password management and single sign-on. Attackers can exploit this to gain unauthorized access to Active Directory accounts.
💻 Affected Systems
- ManageEngine ADSelfService Plus
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete domain compromise where attackers gain administrative privileges, access sensitive data, deploy ransomware, or maintain persistent access across the network.
Likely Case
Account takeover of regular domain users leading to data theft, lateral movement, and privilege escalation within the organization.
If Mitigated
Limited impact if proper network segmentation, monitoring, and access controls prevent lateral movement after initial compromise.
🎯 Exploit Status
Exploitation requires no authentication and has been actively exploited in the wild. Attackers can chain this with other vulnerabilities for greater impact.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6112
Vendor Advisory: https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6112-hotfix-release
Restart Required: Yes
Instructions:
1. Download ADSelfService Plus 6112 from ManageEngine website. 2. Stop the ADSelfService Plus service. 3. Backup current installation. 4. Install the 6112 update. 5. Restart the service.
🔧 Temporary Workarounds
Network Isolation
allRestrict network access to ADSelfService Plus to only trusted internal networks
Access Control
allImplement strict firewall rules to limit external access to the application
🧯 If You Can't Patch
- Immediately isolate the ADSelfService Plus server from the internet and restrict internal access
- Implement enhanced monitoring for suspicious authentication attempts and account changes
🔍 How to Verify
Check if Vulnerable:
Check the ADSelfService Plus version in the web interface or installation directory. Versions below 6112 are vulnerable.Check Version:
Check the version in the web interface at https://[server]:[port]/ or in the installation directory properties.Verify Fix Applied:
Verify the version shows 6112 or higher in the application interface and test authentication functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication patterns
- Multiple failed login attempts followed by successful logins from unexpected sources
- Account modification events
Network Indicators:
- Unusual traffic patterns to ADSelfService Plus endpoints
- External IP addresses accessing authentication endpoints
SIEM Query:
source="ADSelfService Plus" AND (event_type="authentication" OR event_type="account_modification") AND result="success" AND src_ip NOT IN [trusted_networks]