CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit

calendar Jun 20, 2023 · attack.initial_access attack.t1190 attack.persistence attack.t1505.003 cve.2021.40539 detection.emerging_threats  ·
Share on: linkedin copy

Detects an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus (CVE-2021-40539).

Sigma rule (View on GitHub)

 1title: CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit
 2id: fcbb4a77-f368-4945-b046-4499a1da69d1
 3status: test
 4description: Detects an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus (CVE-2021-40539).
 5references:
 6    - https://therecord.media/cisa-warns-of-zoho-server-zero-day-exploited-in-the-wild/
 7    - https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html
 8    - https://us-cert.cisa.gov/ncas/alerts/aa21-259a
 9author: Sittikorn S, Nuttakorn Tungpoonsup
10date: 2021/09/10
11modified: 2023/01/02
12tags:
13    - attack.initial_access
14    - attack.t1190
15    - attack.persistence
16    - attack.t1505.003
17    - cve.2021.40539
18    - detection.emerging_threats
19logsource:
20    category: webserver
21    definition: 'Must be collect log from \ManageEngine\ADSelfService Plus\logs'
22detection:
23    selection:
24        cs-uri-query|contains:
25            - '/help/admin-guide/Reports/ReportGenerate.jsp'
26            - '/RestAPI/LogonCustomization'
27            - '/RestAPI/Connection'
28    condition: selection
29fields:
30    - c-ip
31    - cs-uri-query
32falsepositives:
33    - Unknown
34level: critical

References

Related rules

to-top