Background / What has happened?
The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) has discovered a number of medium to large Australian organisations are potentially exposed to a vulnerability in ManageEngine ADSelfService Plus instances. ManageEngine ADSelfService Plus, is typically used for user’s self servicing of password resets and updating directory details. ASD's ACSC analysis conducted since the vulnerability was first announced on 7 September 2021 indicates that there is an increased number of potentially vulnerable and exposed ADSelfService Plus instances in Australia.
A vulnerability (CVE-2021-40539) was identified on 7 September 2021 in the ADSelfService Plus application programming interface (API) which could allow a cyber actor to bypass authentication controls and execute arbitrary code remotely. A cyber actor would then be able to install malware or otherwise control the affected host.
Analysis conducted by the United States (U.S.) Federal Bureau of Investigation, U.S. Coast Guard Cyber Command and the U.S. Cybersecurity and Infrastructure Security Agency has identified advanced persistent threat cyber actors exploiting this vulnerability to target U.S. organisations.
A cyber actor could exploit this vulnerability to execute arbitrary code, potentially enabling the actor to take control of the vulnerable host.
Mitigation / How do I stay secure?
Australian organisations who utilise ADSelfService Plus and who have not yet applied the available patch should update any internet facing instances of ADSelfService Plus as a priority.
Affected organisations are also recommended to review and action the detection guidance contained within the joint U.S. advisory.
Assistance / Where can I go for help?
The ASD's ACSC is monitoring the situation and is able to provide assistance and advice as required. Organisations that have been impacted or require assistance can contact the ASD's ACSC via 1300 CYBER1 (1300 292 371).