Zohocorp ADSelfService Plus: Security leak enables account takeover
Zohocorp warns of a vulnerability in ADSelfService Plus. Attackers can use it to take over accounts.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Attackers can abuse a security vulnerability in Zohocorp's ADSelfService Plus to take over accounts. Updated software plugs the security leak. IT managers should apply it promptly.
In Zohocorp's security announcement, the company's developers write that the vulnerability is due to faulty session handling in ADSelfService Plus. This could lead to unauthorized access from user enrollment data if multifactor authentication was not enabled for ADSelfService Plus log-ins. As a result, unauthorized user data could be leaked, possibly leading to account takeovers (CVE-2025-1723, CVSS 8.1, risk "high").
ADSelfService-Plus leak: update available
In the vulnerability description of the CVE entry at NIST, Zohocorp adds that only holders of valid accounts could have abused this flaw. The vulnerability affects ADSelfServcie Plus 6510 and older builds.
Videos by heise
On Wednesday last week, February 26, the company released the update to version 6511. It is intended to seal the security gap. "The issue has been resolved in ADSelfService Plus 6511 by ensuring that enrollment data is only accessible to the user who is currently authenticated," explains Zohocorp.
Zohocorp's ADelfService Plus offers web-based management for identities in local and cloud environments and hybrid forms thereof. It is designed to provide protection against attacks on these identities and enable centralized management. However, the vulnerability has undermined precisely these functions.
Zohocorp last warned of a vulnerability in ManageEngine Applications Manager at the end of January. Malicious actors were able to gain administrator rights to vulnerable systems. The company had also classified this vulnerability as a high risk.
(dmk)
