Pricing  Get Quote
 
 

Security Updates

CVE-2021-37423: Security vulnerability issue

Vulnerability Details
Severity High
CVE ID CVE-2021-37423
Affected software versions Builds 6123 and below
Fixed version Build 6200
Fixed on May 24, 2022

Details

CVE-2021-37423 refers to a security vulnerability reported in ManageEngine ADSelfService Plus that allowed sync agent functionality to be breached by an attacker. This was executed remotely by an unauthenticated user by deleting the real Password Sync Agent from the database and registering a fake Password Sync Agent.

We have now released ADSelfService Plus build 6200 that fixes the issue as follows:

  • An access key will now be generated in the product which needs to be provided during Password Sync Agent installation to ensure secure password synchronization.

Impact

This issue allowed the attacker to gain access to all the Password Sync Agent functionalities.

Steps to upgrade

Update your ADSelfService Plus instance to 6200 using the service pack.

Post-upgrade

After upgrading to the latest build, customers using Password Sync Agent will need to reinstall the agent and provide the access key generated in the product for proper functioning of the agent. Backward compatibility has not been provided for older versions of Password Sync Agent installed. For more information regarding Password Sync Agent installation, click here.

Acknowledgements

This issue was reported in Zoho BugBounty by STM.

Request for Support

Need further assistance? Fill this form, and we'll contact you rightaway.

  • Name
  •  
  • Business Email *
  •  
  • Phone *
  •  
  • Problem Description *
  •  
  • Country
  •  
  • By clicking 'Submit' you agree to processing of personal data according to the Privacy Policy.
Highlights

Password self-service

Free Active Directory users from attending lengthy help desk calls by allowing them to self-service their password resets/ account unlock tasks. Hassle-free password change for Active Directory users with ADSelfService Plus ‘Change Password’ console. 

One identity with Single sign-on

Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications with their Active Directory credentials. Thanks to ADSelfService Plus! 

Password/Account Expiry Notification

Intimate Active Directory users of their impending password/account expiry by mailing them these password/account expiry notifications.

Password Synchronizer

Synchronize Windows Active Directory user password/account changes across multiple systems, automatically, including Office 365, G Suite, IBM iSeries and more. 

Password Policy Enforcer

Ensure strong user passwords that resist various hacking threats with ADSelfService Plus by enforcing Active Directory users to adhere to compliant passwords via displaying password complexity requirements.

Directory Self-UpdateCorporate Search

Portal that lets Active Directory users update their latest information and a quick search facility to scout for information about peers by using search keys, like contact number, of the personality being searched.

ADSelfService Plus trusted by

Embark on a journey towards identity security and Zero Trust