CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit
Detects an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus (CVE-2021-40539).
Sigma rule (View on GitHub)
1title: CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit
2id: fcbb4a77-f368-4945-b046-4499a1da69d1
3status: test
4description: Detects an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus (CVE-2021-40539).
5references:
6 - https://therecord.media/cisa-warns-of-zoho-server-zero-day-exploited-in-the-wild/
7 - https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html
8 - https://us-cert.cisa.gov/ncas/alerts/aa21-259a
9author: Sittikorn S, Nuttakorn Tungpoonsup
10date: 2021/09/10
11modified: 2023/01/02
12tags:
13 - attack.initial_access
14 - attack.t1190
15 - attack.persistence
16 - attack.t1505.003
17 - cve.2021.40539
18 - detection.emerging_threats
19logsource:
20 category: webserver
21 definition: 'Must be collect log from \ManageEngine\ADSelfService Plus\logs'
22detection:
23 selection:
24 cs-uri-query|contains:
25 - '/help/admin-guide/Reports/ReportGenerate.jsp'
26 - '/RestAPI/LogonCustomization'
27 - '/RestAPI/Connection'
28 condition: selection
29fields:
30 - c-ip
31 - cs-uri-query
32falsepositives:
33 - Unknown
34level: critical
References
Related rules
- Oracle WebLogic Exploit
- Suspicious MSExchangeMailboxReplication ASPX Write
- CVE-2010-5278 Exploitation Attempt
- CVE-2020-0688 Exchange Exploitation via Web Log
- CVE-2020-0688 Exploitation Attempt