External risk intelligence

Zoho ManageEngine ADSelfService Plus Code Execution and Privilege Escalation Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2018-5353

This product is a web-based identity and self-service password management portal. Such applications are commonly deployed as internet-facing services to allow remote users to manage their own credentials, increasing the likelihood of exposure to external network segments.

Zohocorp Manageengine Adselfservice Plus

before 5.55.5

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in Zoho's ManageEngine ADSelfService Plus software, which is used for identity and password management. This issue allows remote attackers to potentially execute code and gain elevated privileges by tricking the system into opening a malicious link. This could have significant implications for system security if the affected software is exposed to the internet or improperly configured.

  • Attackers can exploit a flaw to run unauthorized code.
  • Critical for identity management, impacting sensitive data access.
  • Confirm product relevance and assess potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by performing a spoofing attack to redirect a user's browser to a malicious site. This could lead to code execution within the WinLogon.exe process, potentially escalating privileges. If Network Level Authentication is not enforced, the attack could also be carried out via RDP. In cases where the web server's certificate is misconfigured, the spoofing step may not even be necessary.

  • Unauthenticated remote access required.
  • Browser redirection to trigger vulnerability.
  • Code execution and privilege escalation.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, an unauthenticated attacker could execute code and escalate privileges by spoofing the intended server. This could lead to code execution within the WinLogon.exe process, especially if Network Level Authentication is not enforced or if the web server has a misconfigured certificate.

  • System credentials could be compromised.
  • Attackers could spoof server requests.
  • Malicious code execution may occur.

Operational Fix

Recommended remediation, mitigation, and detection steps

The Zoho ManageEngine ADSelfService Plus product, often exposed externally, likely requires coordination between the application owners and infrastructure teams to address this vulnerability. The first practical step is to identify all instances of ADSelfService Plus, confirm their network exposure and business criticality, and then locate the accountable owner for remediation planning.

  • Application owners should own this issue.
  • Verify external exposure and business criticality first.
  • Plan remediation based on confirmed exposure and risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Zoho ManageEngine ADSelfService Plus?

This software functions as a web-based identity and self-service password management portal. Because it manages credentials, it is often deployed as an internet-facing service to facilitate remote access for employees, which integrates it deeply into organizational infrastructure.

How does CWE-290 relate to CVE-2018-5353?

This vulnerability is classified under CWE-290, which indicates a weakness in authentication through spoofing. The product fails to verify the intended server before launching a browser window, allowing unauthorized manipulation.

What conditions trigger the execution flaw?

An attacker can initiate execution within the WinLogon.exe process by spoofing the server to redirect a user's browser. If Network Level Authentication is missing, this can be triggered via RDP, while misconfigured web server certificates may remove the need for spoofing entirely.

Why is this vulnerability considered relevant?

According to the Halo Surface Signal, this product is a likely target for external exposure due to its role as an internet-facing identity portal. Its potential for code execution and privilege escalation creates significant risk for managed credentials.

How should organizations address this risk?

Teams should identify all instances of the software, verify their network exposure, and determine business criticality. Remediation planning should be coordinated between application owners and infrastructure staff to ensure affected versions are updated.

References