CVE-2023-35854

CRITICAL

Zohocorp Manageengine Adselfservice Plus - Missing Authentication

Title source: rule

Description

Zoho ManageEngine ADSelfService Plus through 6113 has an authentication bypass that can be exploited to steal the domain controller session token for identity spoofing, thereby achieving the privileges of the domain controller administrator. NOTE: the vendor's perspective is that they have "found no evidence or detail of a security vulnerability."

Exploits (1)

nomisec WORKING POC 1 stars
by bluestarry33 · poc
https://github.com/bluestarry33/exp

References (2)

Scores

CVSS v3 9.8
EPSS 0.0310
EPSS Percentile 86.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-306
Status published
Products (2)
zohocorp/manageengine_adselfservice_plus 6.1 (14 CPE variants)
zohocorp/manageengine_adselfservice_plus < 6.1
Published Jun 20, 2023
Tracked Since Feb 18, 2026