Home / Threat Intelligence bulletins / Threat Actor Deploys Malicious Tools Using ManageEngine ADSelfService Exploit


Researchers have discovered a critical vulnerability in Zoho’s cloud-based ADSelfService Plus password management and single sign-on (SSO) solution.

The flaw could be exploited by remote, unauthenticated, attackers to gain privileged access to an organisation’s infrastructure.


This vulnerability could allow an unauthenticated attacker privileged access to an organisation’s cloud and on-prem environments.

Affected Products

ADSelfService Plus builds up to and includes 6113.

Containment, Mitigations & Remediations

Zoho ManageEngine has provided an update (build 6114) which it is hoped remediates the vulnerability.

They have also provided tools for detecting the exploit of the vulnerability.

Zoho ManageEngine recommends that the AD SelfService server perform the following actions:

• Run the exploit detection tool.
• Check for specific log entries.
• Check for specific files in your system.

If you find that you are compromised Zoho ManageEngine recommends rebuilding the device from scratch with the updated version and checking for further signs of compromise and lateral movement.

This latter part is significantly easier said than done.

Threat Landscape

CISA, the FBI, and CGCYBER believe a Chinese state-sponsored actor uses a previously undisclosed vulnerability in a widely used OpenSSH version to run a remote code execution exploit to access systems.

Sectors currently targetted by this actor include:

  • Technology
  • Defence
  • Healthcare
  • Energy
  • Education Industries

The threat actor took advantage of this flaw to gain access to specific organisations, to then work their way through the network and deploy additional tools to gather credentials, sensitive information and attain persistence.

A number of Zoho ManageEngine products have recently been found to have a number of critical vulnerabilities that have allowed the creation of privileged accounts which in so doing have also bypassed normal detection and alerting mechanisms for the creation of such accounts.

These vulnerabilities and their associated exploits are not limited to the threat actor or sectors described above.

Indicators of Compromise

Evidence of Local file/path traversal within log files of the webserver serving ADSelfService Plus

  • In ManageEngine\ADSelfService Plus\logs\access_log_<date>.txt the presence of “/../RestAPI” or “/./RestAPI”
  • In ManageEngine\ADSelfService Plus\logs\serverOut_<date>.txt the presence of “java.lang.ClassCastException: org.apache.catalina.connector.RequestFacade cannot be cast to com.adventnet.iam.security.SecurityRequestWrapper”
  • In ManageEngine\ADSelfService Plus\logs\adslog_<date>.txt the presence of Java traceback errors referencing NullPointerException in addSmartCardConfig or getSmartCardConfig
  • The presence of “service.cer” in \ManageEngine\ADSelfService Plus\bin\
  • The presence of “adap.jsp” in \ManageEngine\ADSelfService Plus\webapps\adssp\help\html\promotion\
  • The presence of “ReportGenerate.jsp” in \ManageEngine\ADSelfService Plus\help\admin-guide\Reports\ or \ManageEngine\ADSelfService Plus\webapps\adssp\help\admin-guide\reports\
  • The presence of “custom.bat” in C:\Users\Public\
  • The presence of “custom.txt” in C:\Users\Public\

Mitre Methodologies

T1190 – Exploit Public-Facing Application
TA0006– Credential Access

Further Information

Check for specific files in the system

Take control of your IT

Security advisory – ADSelfService Plus authentication bypass vulnerability