cbcvebase.
CVE-2021-40539
published 2021-09-07

CVE-2021-40539: Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution.

PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
98.96%
99.9th percentile
Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution.

Affected

2 ranges
VendorProductVersion rangeFixed in
zohocorpmanageengine_adselfservice_plus< 6.16.1
zohocorpmanageengine_adselfservice_plus

Detection & IOCsextracted from sources · hover to see the quote

hashf1e2a7f5fd6ee0c21928b1cae6e66724c4537052f8676feeaa18e84cf3c0c663
hash951fad30e91adae94ded90c60b80d29654918f90e76b05491b014b8810269f74
hashd0268d29e6d26d726adb848eff991754486880ebfd7afffb3bb2a9e91a1dbb7c
hasha891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9
hash2b40a804a6fc99f6643f8320d2668ebd2544f34833701300e34960b048485357
hash8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376
hashfb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b
hash41c9080f9c90e00a431b2fb04b461584abe68576996379a97469a71be42fc6ff
hashc7a930f1ca5670978aa6d323d16c03a97d897c77f5cff68185c8393830a6083f
other._locked
otheravailable_for_trial
filenamehow_to_decrypt.txt
  • Alert on creation of a kernel service named aswSP_ArPot2 pointing to aswArPot.sys in C:\windows\, used by attackers to disable AV products via DeviceIoControl with IOCTL 0x9988C094.
  • Hunt for DeviceIoControl calls using IOCTL code 0x9988C094 against the aswSP_ArPot2 device handle, which is used to terminate security product processes in a loop.
  • Detect use of netsh portproxy commands (netsh interface portproxy add v4tov4) as a living-off-the-land lateral movement technique associated with Insidious Taurus/Volt Typhoon post-exploitation of CVE-2021-40539.
  • Monitor for creation or modification of the PortProxy registry key at HKLM\SYSTEM\ControlSet001\Services\PortProxy\v4tov4\tcp as an indicator of port-forwarding setup by threat actors post-exploitation.
  • Alert on the presence of turnoff.bat (Trojan.BAT.TASKILL.AE) which is dropped by Trigona ransomware to terminate AV-related services and processes after initial access via CVE-2021-40539.
  • Detect files with the ._locked extension or filenames prepended with 'available_for_trial' as indicators of Trigona ransomware encryption activity following CVE-2021-40539 exploitation.
  • CVE-2021-40539 was patched in ADSelfService Plus build 6114; flag any instances running build 6113 or earlier as vulnerable to unauthenticated REST API authentication bypass leading to RCE.
  • ·The exact network traffic details for the CVE-2021-40539 exploitation chain in the AvosLocker incident were unavailable, so the precise CVE attribution was inferred from behavioral similarity to previously documented exploitation.
  • ·The Trigona ransomware hashes and IOCs listed are associated with post-exploitation payloads delivered after CVE-2021-40539 initial access, not the exploit itself; they may also be delivered via other initial access vectors.
  • ·The netsh portproxy and PortProxy registry key hunting queries may produce false positives as these techniques are also used by legitimate network administrators; results should be evaluated in context of other identified activity.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.