Zoho Corporation has released a security advisory addressing a critical account takeover vulnerability in its ADSelfService Plus identity security solution. The vulnerability, tracked as CVE-2025-1723, could allow unauthorized access to user enrollment data when multi-factor authentication (MFA) is not enabled for ADSelfService Plus login.
“CVE-2025-1723 describes a vulnerability caused by session mishandling in ADSelfService Plus that could allow unauthorized access to user enrollment data when MFA was not enabled for ADSelfService Plus login,” states the advisory.
The vulnerability stems from improper session management, potentially exposing sensitive user information and enabling attackers to hijack accounts. Zoho has confirmed that the issue has been resolved in ADSelfService Plus version 6511.
“This issue has been resolved in ADSelfService Plus version 6511 by ensuring that enrollment data is accessible only to the user whose session is currently authenticated,” clarifies Zoho.
Zoho urges all ADSelfService Plus users to update their instances to build 6511 or later immediately. The update can be applied using the latest service pack.
This vulnerability highlights the importance of enabling MFA for all critical systems and applications. MFA adds an extra layer of security, making it significantly more difficult for attackers to gain unauthorized access, even if they manage to obtain user credentials.
Zoho credits Weston, a security researcher participating in the Zoho BugBounty program, for discovering and reporting the vulnerability. This underscores the value of bug bounty programs in identifying and mitigating security risks.
Users of ADSelfService Plus are strongly encouraged to prioritize updating their systems to the latest version to protect against potential account takeovers and safeguard sensitive user data.
Related Posts:
- CVE-2024-0252 (CVSS 9.9): Zoho ManageEngine ADSelfService RCE Vulnerability
- Zoho ManageEngine Desktop Central Authentication Bypass Vulnerability Alert
- Zoho ManageEngine ServiceDesk Plus Authentication Bypass Vulnerability(Opens in a new browser tab)
- ManageEngine Exchange Reporter Plus Remote Code Execution Vulnerability Alert
