CVE-2024-0252 (CVSS 9.9): Zoho ManageEngine ADSelfService RCE Vulnerability

A new flaw has emerged, demanding immediate attention from IT professionals. Zoho‘s ManageEngine ADSelfService Plus, renowned for its integrated self-service password management and single sign-on capabilities for Active Directory and cloud applications, has been compromised.

Identified by security researcher Joe Zhoy, the vulnerability, cataloged as CVE-2024-0252 presents a serious security risk. It allows authenticated users to remotely execute code on devices running the affected software. Unusually, the vulnerability resides within the load balancer component, posing a threat even to systems without an active load balancer. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.

“This security advisory for ManageEngine ADSelfService Plus pertains to an authenticated remote code execution vulnerability in the load balancer component of ADSelfService Plus. All ADSelfService Plus installations, regardless of load balancer configurations, are vulnerable,”  Zoho wrote in its security advisory.

“An authenticated user can execute remote codes on the machine where ADSelfService Plus is installed.”

CVE-2024-0252 has garnered a critical severity rating of 9.9 from the Common Vulnerability Scoring System (CVSSv3.1), leading Zoho to classify it as a high-risk vulnerability. Such a high score underscores the urgent need for intervention.

In response, Zoho has promptly issued an update, build 6402, released on January 10th. This swift action reflects the company’s commitment to user security and underscores the importance of timely software updates in the face of evolving digital threats.