The Federal Bureau of Investigation (FBI), United States Coast Guard Cyber Command (CGCYBER), and the Cybersecurity and Infrastructure Security Agency (CISA) have released a joint alert warning that state-sponsored advanced persistent threat (APT) groups are actively exploiting a recently patched vulnerability in Zoho ManageEngine ADSelfService Plus, a self-service password management and single sign-on solution.

The vulnerability (CVE-2021-40539) exists due to improper access restrictions to the "/RestAPI/LogonCustomization" and "/RestAPI/Connection" REST API endpoints. It allows a remote non-authenticated attacker execute arbitrary code on the system by sending malicious HTTP requests to the aforementioned REST API endpoints. The bug was patched on September 6 with the release of Zoho ManageEngine ADSelfService Plus build 6114.

According to the security agencies, APTs have been exploiting this flaw as part of their attacks since August 2021. The targeted entities include academic institutions, defense contractors, as well as critical infrastructure entities in transportation, IT, manufacturing, communications, logistics, and finance sectors.

“The exploitation of ManageEngine ADSelfService Plus poses a serious risk to critical infrastructure companies, U.S.-cleared defense contractors, academic institutions, and other entities that use the software. Successful exploitation of the vulnerability allows an attacker to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files,” the joint alert said.

The agencies’ advisory also includes the technical details of attacks and Indicators of Compromise (IoCs) associated with them.