Zoho ManageEngine Applications Manager: Security flaw gives admin rights
Zohocorp warns of a vulnerability in ManageEngine Applications Manager. Attackers can gain admin rights.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
A security vulnerability in Zoho ManageEngine Applications Manager puts affected installations at risk. Malicious actors can extend their rights and cause further damage.
In a security advisory, ZohoCorp explains that there is a "vertical privilege escalation vulnerability" in ManageEngine Applications Manager. A delegated admin can gain admin access without authorization by changing the user group parameters. This is done through the API, which can update user profiles (CVE-2024-41140, CVSS 8.1, risk"high").
Bug fix available
According to the security announcement, Zohocorp has been providing updated software since the beginning of January to seal this security leak. However, the information on the CVE entry CVE-2024-41140 was only published in the middle of this week. Accordingly, ManageEngine Applications Manager up to and including version v173900 is affected. However, the developers have patched the vulnerability in versions 170008 to 170099, 173303 to 173399 as well as 174000 and newer versions.
Videos by heise
The service packs for sealing the vulnerability are available for download on the Zohocorp website. As the vulnerability is classified as high-risk by the manufacturer, IT managers should not wait with the update, but carry it out promptly. Cyber criminals often attack vulnerabilities in Zoho ManageEngine software. Following the publication of a proof-of-concept exploit by an IT security company, for example, attacks on vulnerability CVE-2022-47966 were quickly launched in 24 products from the range.
In November, IT managers using Zoho ManageEngine ADManager Plus had to take action. At that time, attackers were able to inject SQL commands and gain unauthorized access due to a gaping security hole.
(dmk)
