Pricing  Get Quote
 
 

Security Updates

Self Service Password Management » Security Updates

CVE-2021-37423: Security vulnerability issue

Vulnerability Details
Severity High
CVE ID CVE-2021-37423
Affected software versions Builds 6123 and below
Fixed version Build 6200
Fixed on May 24, 2022

Details

CVE-2021-37423 refers to a security vulnerability reported in ManageEngine ADSelfService Plus that allowed sync agent functionality to be breached by an attacker. This was executed remotely by an unauthenticated user by deleting the real Password Sync Agent from the database and registering a fake Password Sync Agent.

We have now released ADSelfService Plus build 6200 that fixes the issue as follows:

  • An access key will now be generated in the product which needs to be provided during Password Sync Agent installation to ensure secure password synchronization.

Impact

This issue allowed the attacker to gain access to all the Password Sync Agent functionalities.

Steps to upgrade

Update your ADSelfService Plus instance to 6200 using the service pack.

Post-upgrade

After upgrading to the latest build, customers using Password Sync Agent will need to reinstall the agent and provide the access key generated in the product for proper functioning of the agent. Backward compatibility has not been provided for older versions of Password Sync Agent installed. For more information regarding Password Sync Agent installation, click here.

Acknowledgements

This issue was reported in Zoho BugBounty by STM.

Request for Support

Need further assistance? Fill this form, and we'll contact you rightaway.

  • Name
  •  
  • Business Email *
  •  
  • Phone *
  •  
  • Problem Description *
  •  
  • Country
  •  
  • By clicking 'Submit' you agree to processing of personal data according to the Privacy Policy.
Highlights of ADSelfService Plus

Password self-service

Allow Active Directory users to self-service their password resets and account unlock tasks, freeing them from lengthy help desk calls.

One identity with single sign-on

Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications using their Active Directory credentials.

Password and account expiry notification

Intimate Active Directory users of their impending password and account expiry via email and SMS notifications.

Password synchronization

Synchronize Windows Active Directory user passwords and account changes across multiple systems automatically, including Microsoft 365, Google Workspace, IBM iSeries, and more.

Password policy enforcer

Strong passwords resist various hacking threats. Enforce Active Directory users to adhere to compliant passwords by displaying password complexity requirements.

Directory self-update and corporate directory search

Enable Active Directory users to update their latest information themselves. Quick search features help admins scout for information using search keys like contact numbers.

« Home
Knowledge Base »

ADSelfService Plus trusted by

Embark on a journey towards identity security and Zero Trust
Password management Adaptive MFA Enterprise SSO Self-service & security Related products