Zoho Patches RCE in ManageEngine ADSelfService -CVE-2024-0252

Zoho Patches RCE in ManageEngine ADSelfService -CVE-2024-0252


Researchers have identified a new security flaw in Zoho‘s ManageEngine ADSelfService Plus, that could lead to a Remote code execution.

The vulnerability, tracked as CVE-2024-0252 with a CVSS score of 9.9 presents a serious security risk. It allows authenticated users to remotely execute code on devices running the affected software. Unusually, the vulnerability resides within the load balancer component, posing a threat even to systems without an active load balancer. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.

Advertisements

As per the security advisory, ManageEngine ADSelfService Plus pertains to an authenticated remote code execution vulnerability in the load balancer component of ADSelfService Plus. All ADSelfService Plus installations, regardless of load balancer configurations, are vulnerable. An authenticated user can execute remote codes on the machine where ADSelfService Plus is installed.

Zoho has promptly issued an update, build 6402, released on January 10th and recommended the customers to update as soon as possible.

This security bug was identified by the security researcher Joe Zhoy.

Comments

No comments yet. Why don’t you start the discussion?

    Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.