CISA and FBI Warn of Nation State Hackers Exploiting Critical Zoho Vulnerability

A critical vulnerability affecting the Zoho single-sign-on and password management solution is being actively exploited by advanced persistent threat (APT) groups and has been since the start of August 2021, according to a joint alert issued by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Coast Guard Cyber Command (CGCYBER).

The vulnerability, tracked as CVE-2021-40539, is an authentication bypass flaw that affects Zoho ManageEngine ADSelfService Plus software, specifically, representational state transfer (REST) application programming interface (API) URLs. The vulnerability can be exploited to remotely execute code and would allow an attacker to gain full control of affected systems. The vulnerable Zoho single-sign-on and password management solution is used by many Fortune 500 firms.

In the alert, the FBI, CISA, and CGCYBER explain that exploitation of the bug in ManageEngine ADSelfService Plus poses a serious risk to critical infrastructure companies, U.S.-cleared defense contractors, academic institutions, and all other entities that use the software.

APT groups and other threat actors exploiting the flaw are able to deploy web shells for post exploitation activities, including the theft of admin credentials, lateral movement, and exfiltration of registry hives and Active Directory files.

On September 6, 2021, Zoho released Zoho ManageEngine ADSelfService Plus build 6114, which includes a fix for the CVE-2021-40539 vulnerability. In addition to ensuring the solution is updated to the secure version, FBI, CISA, and CGCYBER recommend not exposing Zoho ManageEngine ADSelfService Plus directly to the Internet.

FBI, CISA, and CGCYBER have published technical information about attacks, including indicators of compromise (IoCs) and YARA Rules.

Should organizations discover the vulnerability has already been exploited and the NTDS.dit file has been compromised, it is strongly recommended to perform domain-wide password resets and double Kerberos Ticket Granting Ticket (TGT) password resets.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of