PT-2024-1577 · Zoho · Zoho Manageengine Adselfservice Plus

Joe Zhoy

Published

2024-01-11

Updated

2024-06-07

CVE-2024-0252

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions ManageEngine ADSelfService Plus versions 6401 and below

Description The issue is related to the improper handling in the load balancer component of ManageEngine ADSelfService Plus, which can lead to remote code execution. Authentication is required to exploit this vulnerability. It is estimated that around 1,969 devices are potentially affected, mainly distributed in the United States, India, and other countries.

Recommendations For ManageEngine ADSelfService Plus versions 6401 and below, update to a version above 6401 to resolve the issue. As a temporary workaround, consider restricting access to the load balancer component until a patch is available. Avoid using the vulnerable load balancer component in the affected API endpoints until the issue is resolved.

Fix

RCE

Missing Authentication

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-306CWE-94

Related Identifiers

BDU:2024-01138

CVE-2024-0252

Affected Products

Zoho Manageengine Adselfservice Plus

PT-2024-1577 · Zoho · Zoho Manageengine Adselfservice Plus

CVE-2024-0252

Weakness Enumeration

Related Identifiers

Affected Products

References · 20