The FBI and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) are warning about the 'active exploitation' of a bug in Zoho ManageEngine ServiceDesk Plus before 11306.
"Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration," CISA and the FBI note about the vulnerability tracked as CVE-2021-44077.
CISA and FBI's alert warns that organizations that didn't apply Zoho patches for Zoho ServiceDesk Plus versions 11306 and above are vulnerable to attackers who install web shells, which are dangerous because they persist on a system even after applying security updates.
The vulnerability also has implications for organizations using Microsoft's Windows identity platform, Active Directory.
"The FBI and CISA assess that advanced persistent threat (APT) cyber actors are among those exploiting the vulnerability," CISA says.
"If left unpatched, successful exploitation of the vulnerability allows an attacker to upload executable files and place webshells that enable post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files."
Meanwhile, Zoho says in its advisory: "This vulnerability allows an attacker to gain unauthorized access to the application's data through a few of its application URLs. To do so, an attacker has to manipulate any vulnerable application URL path from the assets module with a proper character set replacement.
"This URL can bypass the authentication process and fetch the required data for the attacker, allowing the attacker to gain unauthorized access to user data or carry out subsequent attacks."
Microsoft raised an alarm this month about suspected Chinese hackers targeting Windows machines running Zoho ManageEngine ADSelfService Plus, a self-service password management and single sign-on solution. It was tracked as CVE-2021-40539.
According to security company Palo Alto's Unit 42, the two vulnerabilities are most likely being used by a Chinese cyber-espionage group. It said that at least 13 organizations across the technology, energy, healthcare, education, finance and defense industries have been compromised over the past three months.
"Of the four new victims, two were compromised through vulnerable ADSelfService Plus servers while two were compromised through ServiceDesk Plus software. We anticipate that this number will climb as the actor continues to conduct reconnaissance activities against these industries and others, including infrastructure associated with five U.S. states," the researchers said.