Authentication Bypass in Zoho ManageEngine ADSelfService Plus
CVE-2023-35854

9.8CRITICAL

Key Information:

Vendor: Zohocorp
Status: Manageengine Adselfservice Plus
Vendor: CVE Published:; 20 June 2023

What is CVE-2023-35854?

The vulnerability in Zoho ManageEngine ADSelfService Plus poses a significant risk by allowing an authentication bypass that can be exploited by attackers to steal the domain controller session token. This exploit enables identity spoofing, granting unauthorized users the privileges associated with the domain controller administrator. Despite concerns over this vulnerability, the vendor claims to have found no evidence supporting security issues within the affected version.

References

https://www.manageengine.com

https://github.com/970198175/Simply-use

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 20, 2023
Vulnerability Reserved
Jun 19, 2023

Zohocorp

What is CVE-2023-35854?

References

CVSS V3.1

Timeline