Zoho has released a security update to patch a vulnerability (CVE-2021-40539) affecting ManageEngine ADSelfService Plus builds 6113 and below. Hackers have been exploiting the vulnerability in the wild, according to a CISA (Cybersecurity and Infrastructure Security Agency) alert.
If left unpatched, a remote attacker could exploit this vulnerability to take control of an affected system, the CISA says.
ManageEngine ADSelfService Plus is a self-service password management and single sign-on solution for Active Directory and cloud apps. Additionally, CISA strongly urges organizations ensure ADSelfService Plus is not directly accessible from the Internet, the alert said.
ManageEngine's software is popular with MSPs that remotely monitor and manage end-customer systems.
Hackers have been targeting MSP-centric software tools to launch supply chain attacks that extend out to end-customers.