CVE-2023-35854
📋 TL;DR
CVE-2023-35854 is an authentication bypass vulnerability in Zoho ManageEngine ADSelfService Plus that allows attackers to steal domain controller session tokens. This enables identity spoofing and can grant domain controller administrator privileges. Organizations using ADSelfService Plus versions through 6113 are affected.
💻 Affected Systems
- Zoho ManageEngine ADSelfService Plus
📦 What is this software?
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
⚠️ Risk & Real-World Impact
Worst Case
Complete domain compromise where attackers gain domain controller administrator privileges, enabling them to create/delete accounts, modify permissions, access sensitive data, and deploy malware across the entire domain.
Likely Case
Attackers gain elevated domain privileges to access sensitive systems, steal credentials, and move laterally across the network while maintaining persistence.
If Mitigated
Limited impact with proper network segmentation, monitoring, and least privilege principles preventing lateral movement even if initial access is achieved.
🎯 Exploit Status
Public proof-of-concept code exists on GitHub, making exploitation straightforward for attackers with basic skills.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 6114 and later
Vendor Advisory: https://www.manageengine.com/products/self-service-password/release-notes.html
Restart Required: Yes
Instructions:
1. Download ADSelfService Plus version 6114 or later from ManageEngine website. 2. Backup current installation. 3. Run the installer to upgrade. 4. Restart the ADSelfService Plus service. 5. Verify the new version is running.
🔧 Temporary Workarounds
Network Isolation
allRestrict network access to ADSelfService Plus to only trusted internal networks
Use firewall rules to block external access to ADSelfService Plus ports (typically 80, 443, 8443)
Access Control
allImplement strict IP whitelisting for administrative access
Configure ADSelfService Plus to only accept connections from specific IP ranges
🧯 If You Can't Patch
- Immediately isolate the ADSelfService Plus server from the internet and restrict internal access
- Implement enhanced monitoring for suspicious authentication attempts and privilege escalation activities
🔍 How to Verify
Check if Vulnerable:
Check the ADSelfService Plus version in the web interface under Help > About. If version is 6113 or earlier, the system is vulnerable.Check Version:
In ADSelfService Plus web interface: Navigate to Help > About to view versionVerify Fix Applied:
After patching, verify the version shows 6114 or later in the About section and test that authentication bypass attempts fail.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication patterns
- Multiple failed login attempts followed by successful authentication from same IP
- Unexpected privilege escalation events
Network Indicators:
- Unusual traffic patterns to/from ADSelfService Plus server
- Suspicious requests to authentication endpoints
SIEM Query:
source="ADSelfServicePlus" AND (event_type="authentication" AND result="success" AND user_agent="suspicious") OR (event_type="privilege_escalation")